CVE-2023-2122
Published: 16 August 2023
Summary
CVE-2023-2122 is a medium-severity an unspecified weakness vulnerability in 10Web Image Optimizer. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Image Optimizer by 10web WordPress plugin before version 1.0.27 contains a reflected cross-site scripting vulnerability. The plugin fails to sanitize or escape the iowd_tabs_active parameter when it is rendered in the administrative interface, allowing attacker-controlled content to be executed in the browser.
An unauthenticated attacker can exploit the flaw by crafting a malicious link that, when clicked by a logged-in administrator, executes arbitrary JavaScript within the administrator’s session context. The CVSS 6.1 rating reflects the requirement for user interaction and the resulting limited impact on confidentiality and integrity.
WPScan references describe the reflected XSS issue in detail but do not specify additional mitigation steps beyond upgrading the plugin. The EPSS score reached a peak of 0.2770 and currently stands at 0.1776 with no indication of a sustained post-disclosure climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33642
Vulnerability details
The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in…
more
admin to execute arbitrary javascript by clicking a link.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.