CVE-2023-6529

CWE-79 — Cross-site Scripting (XSS)CWE-352 — Cross-Site Request Forgery (CSRF)CWE-284 — Improper Access Control3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.4%

top 38.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown WP VR Rextheme WP VR

Timeline

PublishedJan 8

Description

The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5unknown/wp_vr< 8.3.15

▶NVDrextheme/wp_vr< 8.3.15

🔴Vulnerability Details

GHSA

GHSA-95jv-pcxp-g9qj: The WP VR WordPress plugin before 8↗2024-01-08

▶

CVEList

WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS↗2024-01-08

▶