Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-4148

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

9.9%

top 6.98%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Unknown Ditty Metaphorcreations Ditty

Timeline

PublishedSep 25

Description

The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/ditty< 3.1.25

▶NVDmetaphorcreations/ditty< 3.1.25

🔴Vulnerability Details

GHSA

GHSA-m968-5jwq-gjrc: The Ditty WordPress plugin before 3↗2023-09-25

▶

CVEList

Ditty < 3.1.25 - Reflected XSS↗2023-09-25

▶

💥Exploits & PoCs

Nuclei

Ditty < 3.1.25 - Cross-Site Scripting

▶