Stored Cross-Site Scripting Vulnerability in ImageMapper Plugin for WordPress
CVE-2023-5507

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
ImageMapper
Vendor
CVE Published:
7 November 2023

Summary

The ImageMapper plugin for WordPress allows authenticated users with contributor permissions and higher to exploit a Stored Cross-Site Scripting vulnerability. This occurs via the 'imagemap' shortcode, as insufficient input validation and output escaping allows attackers to inject arbitrary scripts into webpages. When users access these compromised pages, the injected scripts are executed, potentially leading to unauthorized actions and data exposure.

Affected Version(s)

ImageMapper * <= 1.2.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/imagemapper/ta...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.