The JQuery Accordion Menu Widget for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcwp-jquery-accordion' shortcode in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Configurations
Configuration 1 (hide)
|
History
07 Nov 2023, 04:23
| Type | Values Removed | Values Added |
|---|---|---|
| CWE |
14 Sep 2023, 00:46
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| First Time |
Designchemical
Designchemical jquery Accordion Menu Widget |
|
| CPE | cpe:2.3:a:designchemical:jquery_accordion_menu_widget:*:*:*:*:*:wordpress:*:* | |
| References | (MISC) https://plugins.trac.wordpress.org/browser/jquery-vertical-accordion-menu/tags/3.1.2/dcwp_jquery_accordion.php#L112 - Patch | |
| References | (MISC) https://plugins.trac.wordpress.org/browser/jquery-vertical-accordion-menu/tags/3.1.2/dcwp_jquery_accordion.php#L94 - Patch | |
| References | (MISC) https://www.wordfence.com/threat-intel/vulnerabilities/id/b0cf3015-cdc9-4ac9-82f3-e9b4d1203e22?source=cve - Third Party Advisory |
12 Sep 2023, 11:52
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-09-12 02:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-4890
Mitre link : CVE-2023-4890
CVE.ORG link : CVE-2023-4890
JSON object : View
Products Affected
designchemical
- jquery_accordion_menu_widget
CWE
No CWE.