CVE-2023-2309
Published: 24 July 2023
Summary
CVE-2023-2309 is a medium-severity an unspecified weakness vulnerability in Gvectors Wpforo Forum. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 5.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2023-2309 affects the wpForo Forum WordPress plugin prior to version 2.1.9. It is a reflected cross-site scripting flaw that occurs because the plugin does not escape certain request parameters when debug mode is enabled, allowing script content to be reflected back to users.
An unauthenticated remote attacker can exploit the issue by crafting a malicious request and inducing a victim to interact with it, resulting in script execution in the victim's browser context with limited effects on confidentiality and integrity.
References to the WPScan advisory indicate that the issue is resolved by updating to version 2.1.9 or later. The associated EPSS score has remained flat at its peak value of 0.1525 with no material rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33814
Vulnerability details
The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.