WordPress GD Security Headers Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-40330

7.1HIGH

Key Information:

Vendor: WordPress
Status: Gd Security Headers
Vendor: CVE Published:; 27 September 2023

What is CVE-2023-40330?

The GD Security Headers plugin by Milan Petrovic is vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) attacks in version 1.6.1 and earlier. This vulnerability allows attackers to exploit the plugin, potentially executing arbitrary JavaScript code in the context of the user's browser. This can lead to data theft, session hijacking, and other malicious activities, emphasizing the importance of securing WordPress installations against such threats.

Affected Version(s)

GD Security Headers <= 1.6.1

References

https://patchstack.com/database/vulnerability/gd-security...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 27, 2023
Vulnerability Reserved
Aug 14, 2023

Credit

minhtuanact (Patchstack Alliance)