CVE-2023-2123
Published: 16 August 2023
Summary
CVE-2023-2123 is a medium-severity an unspecified weakness vulnerability in Wpinventory Wp Inventory Manager. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The WP Inventory Manager WordPress plugin prior to version 2.1.0.13 contains a reflected cross-site scripting vulnerability. The flaw stems from missing sanitization and escaping of a user-supplied parameter that is subsequently rendered directly in page output, allowing script execution in the context of the affected site.
An unauthenticated remote attacker can exploit the issue by crafting a malicious link and tricking a victim into clicking it, resulting in arbitrary script execution within the victim's browser session. The CVSS 6.1 vector reflects network attack reachability, low complexity, no required privileges, required user interaction, and changed scope with limited impacts to confidentiality and integrity.
Public references include a proof-of-concept exploit and a WPScan advisory entry that document the reflected XSS behavior and identify the fixed release. The associated EPSS score has remained flat at 0.1743 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33643
Vulnerability details
The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.