Cyber Resilience

CVE-2023-0602

MediumPublic PoC

Published: 31 July 2023

Published
31 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0738 91.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0602 is a medium-severity an unspecified weakness vulnerability in Johnniejodelljr Twittee Text Tweet. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Twittee Text Tweet WordPress plugin through version 1.0.8 contains a reflected cross-site scripting vulnerability. The root cause is insufficient escaping of POST parameter values that are echoed back to the user within one of the plugin's administrative pages, as described in the CVE record with a CVSS 3.1 score of 6.1.

An unauthenticated remote attacker can supply a crafted link or request that, when clicked by an administrator, executes arbitrary script in the context of the WordPress administrative interface. Successful exploitation yields limited impacts to confidentiality and integrity with changed scope, but requires user interaction from the targeted administrator.

The associated EPSS score remains flat at 0.0738 with no material increase after disclosure. No additional details on patches or real-world exploitation activity are provided in the available references.

EU & UK References

Vulnerability details

The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

johnniejodelljr
twittee text tweet
≤ 1.0.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References