Cyber Resilience

CVE-2023-4294

MediumPublic PoC

Published: 11 September 2023

Published
11 September 2023
Modified
02 May 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.2975 96.7th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4294 is a medium-severity an unspecified weakness vulnerability in Kaizencoders Url Shortify. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The URL Shortify WordPress plugin before version 1.7.6 contains a reflected cross-site scripting vulnerability stemming from insufficient escaping of the HTTP Referer header value. This flaw resides in the plugin's handling of short-link statistics and affects any site running the vulnerable component, allowing script injection into the administrative interface without authentication.

An unauthenticated remote attacker can supply a crafted Referer header when accessing a short link, causing malicious JavaScript to execute in the browser of an administrator who later views the plugin's statistics page. Successful exploitation yields limited control over the admin interface, such as the ability to read or modify displayed data within the plugin's scope, corresponding to the reported CVSS 6.1 rating that reflects network attack vector, low complexity, and required user interaction.

The referenced WPScan advisory identifies the issue and notes that the flaw is resolved in version 1.7.6. The associated EPSS score reached a peak of 0.3641 with a current value of 0.2975, indicating sustained moderate exploitation interest following public disclosure.

EU & UK References

Vulnerability details

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short…

more

link.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kaizencoders
url shortify
≤ 1.7.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References