CVE-2023-6164

CVSS v3 2.2 LOW

2.2^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

T

he MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags.

References

Link	Resource
https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail=	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve	Third Party Advisory
https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail=	Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mainwp:mainwp:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.8~~	v2 : unknown v3 : 2.2
References	~~() https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail= - Patch~~	() https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail= - Patch
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve - Third Party Advisory~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve - Third Party Advisory

Information

Published : 2023-11-22 16:15

Updated : 2024-11-21 08:43

NVD link : CVE-2023-6164

Mitre link : CVE-2023-6164

CVE.ORG link : CVE-2023-6164

JSON object : View

Products Affected

mainwp

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-6164", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 0.7}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}]}, "published": "2023-11-22T16:15:15.970", "references": [{"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail=", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail=", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the \u2018newColor\u2019 parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags."}, {"lang": "es", "value": "El complemento MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance para WordPress es vulnerable a la inyecci\u00f3n de CSS a trav\u00e9s del par\u00e1metro 'newColor' en todas las versiones hasta la 4.5.1.2 incluida debido a una sanitizaci\u00f3n de entrada insuficiente. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten valores CSS arbitrarios en las etiquetas del sitio."}], "lastModified": "2024-11-21T08:43:17.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mainwp:mainwp:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "5022351F-FCEE-4A33-886C-40544C432C0D", "versionEndIncluding": "4.5.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}