Stored Cross-Site Scripting in TaxoPress Plugin for WordPress
CVE-2023-2168

4.8MEDIUM

Key Information:

Vendor: Wordpress
Status: TaxoPress is the WordPress Tag, Category, and Taxonomy Manager
Vendor: CVE Published:; 19 April 2023

What is CVE-2023-2168?

The TaxoPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting through the Suggest Terms Title field, due to inadequate input sanitization and output escaping. This vulnerability allows authenticated attackers with Editor+ permissions to inject arbitrary scripts into pages, which will execute when other users access those pages. Users should ensure they are running the latest version of TaxoPress to mitigate this risk.

Affected Version(s)

TaxoPress is the WordPress Tag, Category, and Taxonomy Manager * <= 3.6.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-tags/tr...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 19, 2023
Vulnerability Reserved
Apr 18, 2023

Credit

Ivan Kuzymchak