Stored Cross-Site Scripting in CPO Companion Plugin for WordPress
CVE-2023-0162

4.8MEDIUM

Key Information:

Vendor

Wordpress
Status
CPO Companion
Vendor
CVE Published:
10 January 2023

What is CVE-2023-0162?

The CPO Companion plugin for WordPress is susceptible to Stored Cross-Site Scripting attacks due to inadequate input sanitization and output escaping in its content type settings parameters. This vulnerability allows authenticated users with administrator privileges to inject malicious scripts, which can be executed by unsuspecting users when they access the compromised pages. Attackers can exploit this flaw to manipulate content and gain unauthorized access to sensitive user data.

Affected Version(s)

CPO Companion * <= 1.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-0162 : Stored Cross-Site Scripting in CPO Companion Plugin for WordPress