Vulnerability Details CVE-2023-6990
The Weaver Xtreme theme for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta in all versions up to, and including, 6.3.0 due to insufficient input sanitization and output escaping on user supplied meta (page-head-code). This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.1%
CVSS Severity
CVSS v3 Score 5.4
References
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=212828%40weaver-xtreme&new=212828%40weaver-xtreme&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bc7384d7-c2fd-4d63-9b80-bb5bde9a23d5?source=cve
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=212828%40weaver-xtreme&new=212828%40weaver-xtreme&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/bc7384d7-c2fd-4d63-9b80-bb5bde9a23d5?source=cve
Products affected by CVE-2023-6990
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:-
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:0.1
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:5.0
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:5.0.2
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:6.1
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:6.2
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:6.2.5
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:6.2.7
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:6.2.8
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:6.2.9
-
cpe:2.3:a:weavertheme:weaver_xtreme_theme_support:6.3.0