CVE-2023-3170

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
4.8MEDIUM
EPSS
0.1%
top 66.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Tagdiv ComposerTagdiv Tagdiv Composer
Timeline
PublishedSep 11
Latest updateJan 23

Description

The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/tagdiv_composer< 4.2

🔴Vulnerability Details

2
CVEList
tagDiv Composer < 4.2 - Admin+ Stored XSS2023-09-11
GHSA
GHSA-7578-qrmf-q6j6: The tagDiv Composer WordPress plugin before 42023-09-11

📋Vendor Advisories

1
Chrome
Stable Channel Update for Desktop: CVE-2024-31702024-01-23
CVE-2023-3170 (MEDIUM CVSS 4.8) | The tagDiv Composer WordPress plugi | cvebase.io