Stored Cross-Site Scripting Vulnerability in Sitekit Plugin for WordPress
CVE-2023-5071

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Sitekit
Vendor: CVE Published:; 20 October 2023

Summary

The Sitekit plugin for WordPress suffers from a serious stored Cross-Site Scripting vulnerability originating from the 'sitekit_iframe' shortcode. This flaw arises from inadequate input sanitization and output escaping methods implemented in versions up to 1.4. Authenticated attackers with contributor-level access or higher can exploit this vulnerability to inject arbitrary scripts into affected web pages. The injected scripts will execute in the browsers of users who visit the compromised pages, posing significant security risks and potential data breaches.

Affected Version(s)

Sitekit * <= 1.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/sitekit/trunk/...

https://plugins.trac.wordpress.org/changeset/2970788/sitekit

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 20, 2023
Vulnerability Reserved
Sep 19, 2023

Credit

Lana Codes

Alex Thomas