Reflected Cross-Site Scripting Vulnerability in Matomo Analytics Plugin for WordPress
CVE-2023-6923

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Matomo Analytics – Ethical Stats. Powerful Insights.
Vendor: CVE Published:; 29 February 2024

Summary

The Matomo Analytics plugin for WordPress is subject to a Reflected Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping. This flaw allows unauthenticated attackers to inject arbitrary web scripts by manipulating the idsite parameter in all versions up to and including 4.15.3. If an unsuspecting user clicks a malicious link, this could compromise the security of their session, leading to potential data breaches or account takeover.

Affected Version(s)

Matomo Analytics – Ethical Stats. Powerful Insights. * <= 4.15.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 29, 2024
Vulnerability Reserved
Dec 18, 2023

Credit

Felipe Restrepo Rodriguez