Cyber Resilience

CVE-2023-2579

MediumPublic PoC

Published: 17 July 2023

Published
17 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1664 95.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2579 is a medium-severity an unspecified weakness vulnerability in Inventorypress Project Inventorypress. Its CVSS base score is 5.4 (Medium).

Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The InventoryPress WordPress plugin through version 1.7 contains a stored cross-site scripting vulnerability because it fails to sanitize and escape certain plugin settings. The affected component is the plugin's configuration handling, which accepts and stores unsanitized input that is later rendered in the administrative interface.

Users holding the author role or higher can exploit the flaw by saving malicious payloads in the vulnerable settings fields. Successful exploitation results in persistent script execution in the browsers of other users who view the affected pages, enabling actions such as session hijacking or privilege escalation within the WordPress context under the CVSS 5.4 vector.

No official patch or mitigation guidance is provided in the referenced advisories. The EPSS score has remained flat at its peak value of 0.1664 with no material increase after disclosure. Public proof-of-concept code and a WPScan entry confirm the issue but do not indicate widespread exploitation.

EU & UK References

Vulnerability details

The InventoryPress WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

inventorypress project
inventorypress
≤ 1.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References