Rewterz Threat Advisory – ICS: Mitsubishi Electric GX Works3 Vulnerability
September 27, 2023Rewterz Threat Alert – Bitter APT Group – Active IOCs
September 28, 2023Rewterz Threat Advisory – ICS: Mitsubishi Electric GX Works3 Vulnerability
September 27, 2023Rewterz Threat Alert – Bitter APT Group – Active IOCs
September 28, 2023Severity
Medium
Analysis Summary
CVE-2023-41867 CVSS:7.1
AcyMailing SMTP Newsletter Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-41868 CVSS:7.1
Stagtools Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-5162 CVSS:6.4
Options for Twenty Seventeen Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the ‘social-links’ shortcode to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-41863 CVSS:7.1
PeproDev CF7 Database Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute a script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-5135 CVSS:6.4
Simple Cloudflare Turnstile Plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability using the ‘gravity-simple-turnstile’ shortcode to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-5161 CVSS:6.4
Modal Window plugin for WordPress is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2023-4281 CVSS:5.3
Activity Log Plugin for WordPress could allow a remote attacker to conduct spoofing attacks, caused by untrusted HTTP header. An attacker could exploit this vulnerability to retrieve the IP address of the request, which could lead to IP spoofing.
Impact
- Cross-Site Scripting
- Gain Access
Indicators Of Compromise
CVE
- CVE-2023-41179
Affected Vendors
WordPress
Affected Products
- AcyMailing SMTP Newsletter Plugin for WordPress 8.6.2
- Stagtools Plugin for WordPress 2.3.7
- Options for Twenty Seventeen Plugin for WordPress 1.23.2
- PeproDev CF7 Database Plugin for WordPress 1.7.0
- Simple Cloudflare Turnstile Plugin for WordPress 1.23.2
- Modal Window Plugin for WordPress 5.3.5
- Activity Log Plugin for WordPress 2.8.7
Remediation
Upgrade to the latest version of Activity Log Plugin, available from the WordPress Plugin Directory.