CVE-2023-2735

CVSS V2 None CVSS V3 None

Description

The Groundhogg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gh_form' shortcode in versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note this only works with legacy contact forms.

Overview

CVE ID
CVE-2023-2735

Assigner
security@wordfence.com

Vulnerability Status
Received

Published Version
2023-05-20T03:15:09

Last Modified Date
2023-05-20T03:15:09

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://plugins.trac.wordpress.org/browser/groundhogg/tags/2.7.9.8/includes/form/form.php#L187
https://plugins.trac.wordpress.org/browser/groundhogg/tags/2.7.9.8/includes/shortcodes.php#L51
https://plugins.trac.wordpress.org/changeset/2914493/groundhogg/trunk/includes/better-meta-compat.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/4938206e-2ea4-47ed-a307-87cf67dd74a4?source=cve

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-2735
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2735

History

Created	Old Value	New Value	Data Type	Notes
2023-05-20 04:00:23				Added to TrackCVE
2023-05-20 04:00:26			Weakness Enumeration	new