CVE-2023-3169
published 2023-09-11CVE-2023-3169: The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.59%
72.7th percentile
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| linux | linux_kernel | >= 0 < 5.4.0-144.161 | 5.4.0-144.161 |
| tagdiv | tagdiv_composer | < 4.2 | 4.2 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'tdw-css-placeholder">console.log({{string}})'
- type: word
part: content_type
words:
- 'text/html'
- type: status
status:
- 200- →Look for malicious script injected within specific HTML tags; the obfuscated injection can be found in the 'wp_options' table of the WordPress database. ↗
- →Detect the Nuclei probe fingerprint: a GET request to the REST route that returns a body containing 'tdw-css-placeholder">console.log(' with HTTP 200 and content-type text/html confirms the XSS injection point.
- →Injected scripts use decimal-encoded ASCII obfuscation; decoding reveals the payload URL stay.decentralappps[.]com/src/page.js. ↗
- →Presence of the wp-zexit plugin mimicking WordPress admin behavior and hiding a backdoor in the website's Ajax interface is a strong post-exploitation indicator. ↗
- →Monitor for creation of new WordPress administrator accounts with auto-generated usernames based on the site's hostname, or the legacy username 'greeceman'. ↗
- ·The vulnerability exists only in tagDiv Composer plugin versions before 4.2; upgrading to 4.2 or later remediates the unauthenticated stored XSS via the unprotected REST route. ↗
- ·Attack waves evolved rapidly with increased randomization across injected scripts, URLs, and codes, making static IOC-based detection less reliable over time. ↗
- ·The Nuclei detection template first checks for an empty-body JSON 200 response on the REST route before proceeding to the XSS reflection check; both conditions must be met.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv5.5MEDIUM
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-84rx-q376-r85h: The tagDiv Composer WordPress plugin before 4
ghsa_unreviewed·2023-09-11
CVE-2023-3169 [MEDIUM] CWE-79 GHSA-84rx-q376-r85h: The tagDiv Composer WordPress plugin before 4
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.
OSV
linux-bluefield vulnerabilities
osv·2023-04-05·CVSS 5.5
CVE-2023-0461 linux-bluefield vulnerabilities
linux-bluefield vulnerabilities
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
c
OSV
linux-ibm, linux-ibm-5.4 vulnerabilities
osv·2023-03-14·CVSS 5.5
CVE-2023-0461 linux-ibm, linux-ibm-5.4 vulnerabilities
linux-ibm, linux-ibm-5.4 vulnerabilities
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute ar
OSV
linux-raspi-5.4 vulnerabilities
osv·2023-03-09·CVSS 5.5
CVE-2023-0461 linux-raspi-5.4 vulnerabilities
linux-raspi-5.4 vulnerabilities
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
c
OSV
linux-gcp-5.4 vulnerabilities
osv·2023-03-08·CVSS 5.5
CVE-2023-0461 linux-gcp-5.4 vulnerabilities
linux-gcp-5.4 vulnerabilities
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
cod
OSV
linux-raspi vulnerabilities
osv·2023-03-07·CVSS 5.5
CVE-2023-0461 linux-raspi vulnerabilities
linux-raspi vulnerabilities
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU driver in the Linux kernel. A local attacker could possibly use this to
cause a denial of service (system crash) or possibly execute arbitrary
code.
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities
osv·2023-03-03·CVSS 5.5
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4 vulnerabilities
It was discovered that the Upper Level Protocol (ULP) subsystem in the
Linux kernel did not properly handle sockets entering the LISTEN state in
certain protocols, leading to a use-after-free vulnerability. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-0461)
It was discovered that the NVMe driver in the Linux kernel did not properly
handle reset events in some situations. A local attacker could use this to
cause a denial of service (system crash). (CVE-2022-3169)
It was discovered that a use-after-free vulnerability existed in the SGI
GRU drive
VulnCheck
tagdiv tagdiv_composer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2023·CVSS 6.1
CVE-2023-3169 [MEDIUM] tagdiv tagdiv_composer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
tagdiv tagdiv_composer Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.
Affected: tagdiv tagdiv_composer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22023.pdf; https://app.crowdsec.net/cti/cve-explorer/CVE-2
Chrome
Stable Channel Update for Desktop: CVE-2024-3169
vendor_chrome·2024-01-30·CVSS 8.8
CVE-2024-3169 [HIGH] Stable Channel Update for Desktop: CVE-2024-3169
Stable Channel Update for Desktop
CVE-2024-3169: Use after free in V8. Reported by johnshoop on 2024-01-14 [N/A][ 1511085 ] High CVE-2024-1077: Use after free in Network
Reported by Microsoft Security Research Center on 2023-12-13 [$8000][ 41491373 ] Medium CVE-2024-2884: Out of bounds read in V8
Severity: high
No detection rules found.
Nuclei
tagDiv Composer < 4.2 - Stored Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2023-3169 [MEDIUM] tagDiv Composer < 4.2 - Stored Cross-Site Scripting
tagDiv Composer console.log({{string}})%3Cstyle%3E
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'len(body) == 0'
- 'status_code == 200'
- 'contains(content_type, "application/json")'
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'tdw-css-placeholder">console.log({{string}})'
- type: word
part: content_type
words:
- 'text/html'
- type: status
status:
- 200
# digest: 4a0a0047304502203a666e1c665a8a33ae1d86d774a07c8a2d35164204e2d8fbde4dcbec2b2cde280221009dfb9bc73215063295528048c4eb45974d1ea4fafe6e1958bb15f1616b6a31f7:922c64590222798bb761d5b6d8e72950
Unit42
High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
blogs_unit42·2023-11-09·CVSS 6.1
[MEDIUM] High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
## Executive Summary
Since the end of August 2023, we have observed a significant rise in compromised servers specializing in clickbait and ad content. But why are sites like this such an attractive target for criminals? Mainly because these sites are designed to reach a large number of potential victims. Furthermore, clickbait sites often use outdated or unpatched software, making them vulnerable to compromise.
This article educates readers on the dangers of clickbait articles. We discuss how clickbait sites increase traffic for ad revenue. Additionally, we review a strategy to detect vulnerable clickbait sites based on the characteristics of their web traffic. Finally, we reveal trends on the recent jump in compromised clickbait sites based on exploitation of CVE-2023-3169.
Palo Alto
Unit42
High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
blogs_unit42·2023-11-09·CVSS 6.1
CVE-2023-3169 [MEDIUM] High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
Threat Research Center
Threat Research
Cybercrime
## High Traffic + High Vulnerability = an Attractive Target for Criminals: The Dangers of Viewing Clickbait Sites
Shresta Bellary Seetharam
Tao Yan
Nabeel Mohamed
Tim Hofmockel
Alex Starov
Brad Duncan
Published: November 9, 2023
Cybercrime
Threat Research
Vulnerabilities
CVE-2023-3169
Web threats
## Executive Summary
Since the end of August 2023, we have observed a significant rise in compromised servers specializing in clickbait and ad content. But why are sites like this such an attractive target for criminals? Mainly because these sites are designed to reach a large number of potential victims. Furthermore, clickbait sites often use outdated or unpatched software, making them vulnerable to compromise.
This article e
Bleepingcomputer
Over 17,000 WordPress sites hacked in Balada Injector attacks last month
blogs_bleepingcomputer·2023-10-09·CVSS 6.1
[MEDIUM] Over 17,000 WordPress sites hacked in Balada Injector attacks last month
## Over 17,000 WordPress sites hacked in Balada Injector attacks last month
## Bill Toulas
Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins.
Balada Injector is a massive operation discovered in December 2022 by Dr. Web, which has been leveraging various exploits for known WordPress plugin and theme flaws to inject a Linux backdoor.
The backdoor redirects visitors of the compromised websites to fake tech support pages, fraudulent lottery wins, and push notification scams, so it is either part of scam campaigns or a service sold to scammers.
In April 2023, Sucuri reported that Balada Injector has been active since 2017 and estimated that it had compromised nearly one million WordPress sites .
## Curr
2023-09-11
Published
Exploited in the wild