Cyber Resilience

CVE-2023-2122

MediumPublic PoC

Published: 16 August 2023

Published
16 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1776 95.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2122 is a medium-severity an unspecified weakness vulnerability in 10Web Image Optimizer. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Image Optimizer by 10web WordPress plugin before version 1.0.27 contains a reflected cross-site scripting vulnerability. The plugin fails to sanitize or escape the iowd_tabs_active parameter when it is rendered in the administrative interface, allowing attacker-controlled content to be executed in the browser.

An unauthenticated attacker can exploit the flaw by crafting a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript within the administrator’s session context. The CVSS 6.1 rating reflects the requirement for user interaction and the resulting limited impact on confidentiality and integrity.

WPScan references describe the reflected XSS issue in detail but do not specify additional mitigation steps beyond upgrading the plugin. The EPSS score reached a peak of 0.2770 and currently stands at 0.1776 with no indication of a sustained post-disclosure climb from a low baseline.

EU & UK References

Vulnerability details

The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in…

more

admin to execute arbitrary javascript by clicking a link.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

10web
image optimizer
≤ 1.0.27

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References