Cyber Resilience

CVE-2023-2123

MediumPublic PoC

Published: 16 August 2023

Published
16 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1743 95.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2123 is a medium-severity an unspecified weakness vulnerability in Wpinventory Wp Inventory Manager. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The WP Inventory Manager WordPress plugin prior to version 2.1.0.13 contains a reflected cross-site scripting vulnerability. The flaw stems from missing sanitization and escaping of a user-supplied parameter that is subsequently rendered directly in page output, allowing script execution in the context of the affected site.

An unauthenticated remote attacker can exploit the issue by crafting a malicious link and tricking a victim into clicking it, resulting in arbitrary script execution within the victim's browser session. The CVSS 6.1 vector reflects network attack reachability, low complexity, no required privileges, required user interaction, and changed scope with limited impacts to confidentiality and integrity.

Public references include a proof-of-concept exploit and a WPScan advisory entry that document the reflected XSS behavior and identify the fixed release. The associated EPSS score has remained flat at 0.1743 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

wpinventory
wp inventory manager
≤ 2.1.0.13

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References