WordPress which template file Plugin <= 4.9.0 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-49177

7.1HIGH

Key Information:

Vendor: WordPress
Status: which template file
Vendor: CVE Published:; 15 December 2023

What is CVE-2023-49177?

A Cross-Site Scripting (XSS) vulnerability exists in the Which Template File plugin created by Gilles Dumas. This vulnerability can be exploited through improper neutralization of user input during the generation of web pages, allowing attackers to inject arbitrary scripts into web pages viewed by other users. This issue affects versions ranging from n/a up to 4.9.0, posing significant security risks. It facilitates attackers to potentially take control of user sessions or redirect users to malicious sites. To protect against this vulnerability, it's crucial to update to the latest version of the plugin and implement best security practices.

Affected Version(s)

which template file <= 4.9.0

References

https://patchstack.com/database/vulnerability/which-templ...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2023
Vulnerability Reserved
Nov 22, 2023

Credit

LEE SE HYOUNG (Patchstack Alliance)