Cyber Resilience

CVE-2023-2272

MediumPublic PoC

Published: 16 August 2023

Published
16 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1415 94.5th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2272 is a medium-severity an unspecified weakness vulnerability in Tiempo Tiempo. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Tiempo.com WordPress plugin through version 0.1.2 contains a reflected cross-site scripting vulnerability. The plugin fails to sanitize or escape the page parameter before echoing it back into page output, allowing script injection that executes in the browser of a visiting user.

An unauthenticated remote attacker can exploit the flaw by delivering a crafted URL to a high-privilege user such as an administrator. Successful exploitation grants the attacker the ability to run arbitrary JavaScript in the victim's session context, enabling actions such as session hijacking or unauthorized configuration changes within the WordPress installation.

The referenced WPScan advisory documents the issue and is the primary public source of technical detail; no vendor patch or specific mitigation steps are described in the supplied references.

EPSS for the CVE rose from a low baseline to a peak of 0.2275 before settling at the current value of 0.1415, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tiempo
tiempo
≤ 0.1.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References