CVE-2023-0602
Published: 31 July 2023
Summary
CVE-2023-0602 is a medium-severity an unspecified weakness vulnerability in Johnniejodelljr Twittee Text Tweet. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Twittee Text Tweet WordPress plugin through version 1.0.8 contains a reflected cross-site scripting vulnerability. The root cause is insufficient escaping of POST parameter values that are echoed back to the user within one of the plugin's administrative pages, as described in the CVE record with a CVSS 3.1 score of 6.1.
An unauthenticated remote attacker can supply a crafted link or request that, when clicked by an administrator, executes arbitrary script in the context of the WordPress administrative interface. Successful exploitation yields limited impacts to confidentiality and integrity with changed scope, but requires user interaction from the targeted administrator.
The associated EPSS score remains flat at 0.0738 with no material increase after disclosure. No additional details on patches or real-world exploitation activity are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-12640
Vulnerability details
The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.