Cross-Site Scripting Vulnerability in Buy Me a Coffee Plugin for WordPress
CVE-2023-2082

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Buy Me A Coffee – Button And Widget Plugin
Vendor: CVE Published:; 14 July 2023

What is CVE-2023-2082?

The Buy Me a Coffee – Button and Widget Plugin for WordPress is subject to a Cross-Site Scripting vulnerability due to inadequate sanitization and escaping techniques on the 'text value' resulting from the bmc_post_reception action. This flaw allows authenticated users with subscriber-level permissions and higher to inject arbitrary scripts into the WordPress pages, which can be executed when victims access those pages, potentially leading to malicious actions such as session hijacking or data theft.

Affected Version(s)

Buy Me a Coffee – Button and Widget Plugin * <= 3.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/buymeacoffee/t...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 14, 2023
Vulnerability Reserved
Apr 14, 2023

Credit

Lana Codes