CVE-2023-4648

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Oct 20, 2023

Updated: Nov 7, 2023

CWE ID 94

CWE ID 918

Summary

CVE-2023-4648 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WP Customer Reviews plugin for WordPress. Versions up to and including 3.6.6 are vulnerable, putting administrators with authenticated access at risk. Attackers can inject arbitrary web scripts into admin settings, leading to execution whenever a user accesses an injected page. This issue only affects multi-site installations and installations where unfiltered_html has been disabled. Unsanitized input and inadequate output escaping allow for this exploit.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

https://app.recordedfuture.com/live/sc/entity/tGoypS
https://www.cve.org/CVERecord?id=CVE-2023-4648
https://nvd.nist.gov/vuln/detail/CVE-2023-4648

Back to Vulnerability Database

CVE-2023-4648

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Advisories, Assessments, and Mitigations