CVE-2023-2028

CVSS 3.1 Score 4.8 of 10 (medium)

Details

Published Jul 10, 2023
Updated: Nov 7, 2023

Summary

CVE-2023-2028 is a vulnerability affecting the Call Now Accessibility Button WordPress plugin before version 1.1. The issue lies in the plugin's failure to properly sanitize certain settings which can lead to Stored Cross-Site Scripting (XSS) attacks. High-privilege users can exploit this vulnerability, bypassing the unfiltered_html capability restriction and injecting malicious scripts, even in multisite configurations. This can result in unauthorized access, data theft, or other malicious activities. Users are advised to update the plugin to the latest version to mitigate this risk.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share