Stored Cross-Site Scripting in Better Follow Button for Jetpack WordPress Plugin
CVE-2023-7168
What is CVE-2023-7168?
The Better Follow Button for Jetpack WordPress plugin, up to version 8.0, lacks adequate sanitization and escaping of certain settings. As a result, this oversight can enable high-privilege users, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks. This vulnerability poses a significant risk, especially in multisite installations where the unfiltered_html capability is restricted. Exploitation may allow attackers to inject malicious scripts, potentially compromising the integrity and security of the affected WordPress sites.
Affected Version(s)
Better Follow Button for Jetpack 0 <= 8.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved