Cross-Site Scripting Vulnerability in Buy Me a Coffee Plugin for WordPress
CVE-2023-2082

6.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Buy Me A Coffee – Button And Widget Plugin
Vendor
CVE Published:
14 July 2023

Summary

The Buy Me a Coffee – Button and Widget Plugin for WordPress is subject to a Cross-Site Scripting vulnerability due to inadequate sanitization and escaping techniques on the 'text value' resulting from the bmc_post_reception action. This flaw allows authenticated users with subscriber-level permissions and higher to inject arbitrary scripts into the WordPress pages, which can be executed when victims access those pages, potentially leading to malicious actions such as session hijacking or data theft.

Affected Version(s)

Buy Me a Coffee – Button and Widget Plugin * <= 3.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/buymeacoffee/t...
https://plugins.trac.wordpress.org/browser/buymeacoffee/t...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.