CVE-2023-2579
Published: 17 July 2023
Summary
CVE-2023-2579 is a medium-severity an unspecified weakness vulnerability in Inventorypress Project Inventorypress. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The InventoryPress WordPress plugin through version 1.7 contains a stored cross-site scripting vulnerability because it fails to sanitize and escape certain plugin settings. The affected component is the plugin's configuration handling, which accepts and stores unsanitized input that is later rendered in the administrative interface.
Users holding the author role or higher can exploit the flaw by saving malicious payloads in the vulnerable settings fields. Successful exploitation results in persistent script execution in the browsers of other users who view the affected pages, enabling actions such as session hijacking or privilege escalation within the WordPress context under the CVSS 5.4 vector.
No official patch or mitigation guidance is provided in the referenced advisories. The EPSS score has remained flat at its peak value of 0.1664 with no material increase after disclosure. Public proof-of-concept code and a WPScan entry confirm the issue but do not indicate widespread exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34057
Vulnerability details
The InventoryPress WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.