Stored Cross-Site Scripting Vulnerability in Garden Gnome Package Plugin for WordPress
CVE-2023-5664

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Garden Gnome Package
Vendor: CVE Published:; 22 November 2023

Summary

The Garden Gnome Package plugin for WordPress is susceptible to Stored Cross-Site Scripting through its 'ggpkg' shortcode in all versions up to and including 2.2.8. This vulnerability stems from inadequate input sanitization and output escaping on attributes supplied by users. Authenticated attackers with contributor-level permissions can exploit this flaw to inject arbitrary web scripts into pages, leading to their execution whenever an unsuspecting user accesses the compromised page. A partial patch was implemented in version 2.2.7, with a complete fix introduced in version 2.2.9.

Affected Version(s)

Garden Gnome Package * <= 2.2.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/garden-gnome-p...

https://plugins.trac.wordpress.org/changeset/2987987/gard...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 22, 2023
Vulnerability Reserved
Oct 19, 2023

Credit

István Márton