Stored Cross-Site Scripting Vulnerability in Colibri Page Builder for WordPress
CVE-2023-6988
5.4MEDIUM
Summary
The Colibri Page Builder plugin for WordPress is susceptible to a Stored Cross-Site Scripting flaw that arises from inadequate input sanitization and output escaping of user-supplied attributes within the plugin's extend_builder_render_js shortcode. As a result, authenticated attackers who possess contributor-level permissions or higher can exploit this vulnerability to inject arbitrary web scripts into web pages. These scripts will execute whenever users access the affected pages, posing significant security risks for any site utilizing this plugin.
Affected Version(s)
Colibri Page Builder * <= 1.0.239
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Hung -mov Nguyen