CVE-2023-4294

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
36.4%
top 2.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown URL ShortifyKaizencoders URL Shortify
Timeline
PublishedSep 11

Description

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/url_shortify< 1.7.6

🔴Vulnerability Details

2
GHSA
GHSA-57cx-38gf-xwrm: The URL Shortify WordPress plugin before 12023-09-11
CVEList
URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header2023-09-11
CVE-2023-4294 (MEDIUM CVSS 6.1) | The URL Shortify WordPress plugin b | cvebase.io