CVE-2023-0420

EUVD-2023-12477
The Custom Post Type and Taxonomy GUI Manager WordPress plugin through 1.1 does not have CSRF, and is lacking sanitising as well as escaping in some parameters, allowing attackers to make a logged in admin put Stored Cross-Site Scripting payloads via CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
4.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
custom_post_type_and_taxonomy_gui_manager_projectcustom_post_type_and_taxonomy_gui_manager
𝑥
≤ 1.1
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/266e417f-ece7-4ff5-a724-4d9c8e2f3faa
https://wpscan.com/vulnerability/266e417f-ece7-4ff5-a724-4d9c8e2f3faa