CVE-2023-1890
Published: 15 May 2023
Summary
CVE-2023-1890 is a medium-severity an unspecified weakness vulnerability in Pauple Tablesome. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Tablesome WordPress plugin before version 1.0.9 contains a reflected cross-site scripting vulnerability. The root cause is a failure to escape multiple generated URLs before they are emitted inside HTML attributes when plugin notices are rendered, allowing attacker-controlled content to be injected into the page output.
An unauthenticated attacker can supply a crafted URL that triggers the notices; when a victim interacts with the link, script executes in the context of the affected site. The flaw carries a CVSS 3.1 score of 6.1 and requires user interaction but no privileges, with changed scope and limited impact on confidentiality and integrity.
Public references, including entries on WPScan and Packet Storm, document the issue and provide proof-of-concept material. The associated EPSS score reached a peak of 0.1082 before receding to its current value of 0.0817.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-24080
Vulnerability details
The Tablesome WordPress plugin before 1.0.9 does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.