WordPress Zotpress Plugin <= 7.3.3 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-32961

7.1HIGH

Key Information:

Vendor: WordPress
Status: Zotpress
Vendor: CVE Published:; 12 June 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An unauthenticated reflected cross-site scripting (XSS) vulnerability exists in the Zotpress plugin developed by Katie Seaborn, specifically in versions 7.3.3 and earlier. This flaw could allow attackers to inject malicious scripts into web pages viewed by unsuspecting users. When these scripts are executed in the context of the user’s browser, it can lead to unauthorized actions and data breaches. Users of the affected plugin are urged to take immediate precautions to mitigate the risk and keep their installations up to date.

Affected Version(s)

Zotpress <= 7.3.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-32961
Created by LOURC0D3

References

https://patchstack.com/database/vulnerability/zotpress/wo...

vdb-entry

https://lourcode.kr/posts/CVE-2023-32961-Analysis/

technical-description

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

🟡
Public PoC available
Jul 6, 2023
👾
Exploit known to exist
Jul 6, 2023
Vulnerability published
Jun 12, 2023
Vulnerability Reserved
May 16, 2023

Credit

LOURCODE (Patchstack Alliance)