Hotjar WP Plugin 1.0.15 XSS via hotjar_site_id in admin multi-site
CVE-2023-1259 Published on October 14, 2023
Hotjar <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Hotjar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the hotjar_site_id in versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Timeline
Discovered
Disclosed 212 days later.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-1259 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-1259
Want to know whenever a new CVE is published for Hotjar? stack.watch will email you.
Affected Versions
Hotjar:- Before and including 1.0.15 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.