CVE-2023-3746
ActivityPub for WordPress < 1.0.1 - Contributor+ Stored XSS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks
El complemento ActivityPub de WordPress anterior a 1.0.0 no sanitiza ni escapa algunos datos del contenido de la publicación, lo que podrÃa permitir que el colaborador y el rol superior realicen ataques de Cross-Site Scripting almacenados.
The ActivityPub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via certain post content in versions up to, and including, 0.17.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-07-18 CVE Reserved
- 2023-09-25 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-09-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://wpscan.com/vulnerability/c15a6032-6495-47a8-828c-37e55ed9665a | 2024-08-02 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Automattic Search vendor "Automattic" | Activitypub Search vendor "Automattic" for product "Activitypub" | < 1.0.0 Search vendor "Automattic" for product "Activitypub" and version " < 1.0.0" | wordpress |
Affected
|