VDB
CVE-2023-5308
CVE-2023-5308
PUBLISHED
CVSS 6.400000095367432 MEDIUM
The Podcast Subscribe Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'podcast_subscribe' shortcode in versions up to, and including, 1.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
EPSS 0.18% · 38.9th percentile
Risk Scores
CVSS 3.1
6.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
EPSS Score
0.18%
38.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| secondlinethemes | podcast_subscribe_buttons | 0, 0, 0 |
| secondlinethemes | Podcast Subscribe Buttons | 0, 0, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2023-5308 (circl-sighting)
- https://www.wordfence.com/threat-intel/vulnerabilities/id/17dbfb82-e380-464a-bfaf-2d0f6bf07f25?source=cve (circl)
- https://plugins.trac.wordpress.org/browser/podcast-subscribe-buttons/tags/1.4.8/template-parts/inline-button.php#L30 (circl)
- https://plugins.trac.wordpress.org/changeset/2973904/podcast-subscribe-buttons#file529 (circl)
Timeline
- Oct 20, 2023 EPSS Score
- Oct 20, 2023 CVE Published
- Oct 20, 2023 PoC Published
- Nov 20, 2023 EPSS Score
- Dec 21, 2023 EPSS Score
- Jan 21, 2024 EPSS Score
- Feb 21, 2024 EPSS Score
- Mar 24, 2024 EPSS Score
- Apr 24, 2024 EPSS Score
- May 25, 2024 EPSS Score
- Jul 26, 2024 EPSS Score
- Aug 26, 2024 EPSS Score
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/17dbfb82-e380-464a-bfaf-2d0f6bf07f25?source=cve url
- https://plugins.trac.wordpress.org/browser/podcast-subscribe-buttons/tags/1.4.8/template-parts/inline-button.php#L30 url
- https://plugins.trac.wordpress.org/changeset/2973904/podcast-subscribe-buttons#file529 url
- https://nvd.nist.gov/vuln/detail/CVE-2023-5308 advisory