CVE-2023-5057

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 70.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Activitypub Automattic Activitypub

Timeline

PublishedOct 16

Description

The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/activitypub< 1.0.0

▶NVDautomattic/activitypub< 1.0.0

🔴Vulnerability Details

CVEList

ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS↗2023-10-16

▶

GHSA

GHSA-rcgg-pr6j-3pmh: The ActivityPub WordPress plugin before 1↗2023-10-16

▶