.. / CVE-2023-27922

Exploit for Newsletter < 7.6.9 - Cross-Site Scripting (CVE-2023-27922)

Description:

The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators

Nuclei Template

View the template here CVE-2023-27922.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-27922.yaml
Copy

References:

https://wpscan.com/vulnerability/eb6ff6f0-60fe-4345-b443-97fd4800418c
https://jvn.jp/en/jp/JVN59341308/
https://nvd.nist.gov/vuln/detail/CVE-2023-27922
https://wordpress.org/plugins/newsletter/