WordPress Auth. Stored XSS in Core 5.9-6.3 & Gutenberg 16.8.
CVE-2023-38000 Published on October 13, 2023
Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions.
Vulnerability Analysis
CVE-2023-38000 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2023-38000 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2023-38000
stack.watch emails you whenever new vulnerabilities are published in WordPress or WordPress Gutenberg. Just hit a watch button to start following.
Affected Versions
WordPress.org WordPress:- Version 6.3, <= 6.3.1 is affected.
- Version 6.2, <= 6.2.2 is affected.
- Version 6.1, <= 6.1.3 is affected.
- Version 6.0, <= 6.0.5 is affected.
- Version 5.9, <= 5.9.7 is affected.
- Before and including 16.8.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.