Vulnerability Description
The `Embed Privacy` plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via `embed_privacy_opt_out` shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 1.8.1 contains a patch for this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Epiph | Embed Privacy | < 1.8.1 |
Related Weaknesses (CWE)
References
- https://d.pr/v/ORuIatExploit
- https://github.com/epiphyt/embed-privacy/commit/f80929992b2a5a66f4f4953cd6f46cc2Patch
- https://github.com/epiphyt/embed-privacy/issues/199Issue Tracking
- https://github.com/epiphyt/embed-privacy/security/advisories/GHSA-3wv9-4rvf-w37gVendor Advisory
- https://d.pr/v/ORuIatExploit
- https://github.com/epiphyt/embed-privacy/commit/f80929992b2a5a66f4f4953cd6f46cc2Patch
- https://github.com/epiphyt/embed-privacy/issues/199Issue Tracking
- https://github.com/epiphyt/embed-privacy/security/advisories/GHSA-3wv9-4rvf-w37gVendor Advisory
FAQ
What is CVE-2023-48300?
CVE-2023-48300 is a vulnerability with a CVSS score of 6.3 (MEDIUM). The `Embed Privacy` plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via `embed_privacy_opt_out` shortcode in versions up to, an...
How severe is CVE-2023-48300?
CVE-2023-48300 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-48300?
Check the references section above for vendor advisories and patch information. Affected products include: Epiph Embed Privacy.