CVE-2023-6737

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
4.6%
top 10.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Shortpixel Enable Media Replace
Timeline
PublishedJan 11

Description

The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXEL_DEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploiting this vulnerability requires the attacker to know the ID o

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages2 packages

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-fh2m-jg7j-ghwg: The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXEL_DEBUG parameter in all versions up to2024-01-11
CVEList
Enable Media Replace <= 4.1.4 - Reflected Cross-Site Scripting2024-01-11
CVE-2023-6737 (MEDIUM CVSS 6.1) | The Enable Media Replace plugin for | cvebase.io