Vulnerability Description
The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for subscriber-level attackers to access functions to save plugin data that can potentially lead to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plugin | Waiting | <= 0.6.2 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/waiting/tags/0.6.2/templates/templateIssue Tracking
- https://plugins.trac.wordpress.org/browser/waiting/tags/0.6.2/waiting.php#L544Issue Tracking
- https://www.wordfence.com/threat-intel/vulnerabilities/id/38cc5a39-6ec3-4ce9-b9aThird Party Advisory
- https://plugins.trac.wordpress.org/browser/waiting/tags/0.6.2/templates/templateIssue Tracking
- https://plugins.trac.wordpress.org/browser/waiting/tags/0.6.2/waiting.php#L544Issue Tracking
- https://www.wordfence.com/threat-intel/vulnerabilities/id/38cc5a39-6ec3-4ce9-b9aThird Party Advisory
FAQ
What is CVE-2023-2757?
CVE-2023-2757 is a vulnerability with a CVSS score of 7.4 (HIGH). The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This cou...
How severe is CVE-2023-2757?
CVE-2023-2757 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-2757?
Check the references section above for vendor advisories and patch information. Affected products include: Plugin Waiting.