Cyber Resilience

CVE-2023-2309

MediumPublic PoC

Published: 24 July 2023

Published
24 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1525 94.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2309 is a medium-severity an unspecified weakness vulnerability in Gvectors Wpforo Forum. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-2309 affects the wpForo Forum WordPress plugin prior to version 2.1.9. It is a reflected cross-site scripting flaw that occurs because the plugin does not escape certain request parameters when debug mode is enabled, allowing script content to be reflected back to users.

An unauthenticated remote attacker can exploit the issue by crafting a malicious request and inducing a victim to interact with it, resulting in script execution in the victim's browser context with limited effects on confidentiality and integrity.

References to the WPScan advisory indicate that the issue is resolved by updating to version 2.1.9 or later. The associated EPSS score has remained flat at its peak value of 0.1525 with no material rise after disclosure.

EU & UK References

Vulnerability details

The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gvectors
wpforo forum
≤ 2.1.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References