CVE-2023-6488

Summary

The vulnerability with the CVE ID name CVE-2023-6488 affects the WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress in all versions up to and including 7.0.0. It is a Stored Cross-Site Scripting vulnerability that allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts through the plugin's 'su_button', 'su_members', and 'su_tabs' shortcodes. This can lead to the execution of these scripts whenever a user accesses an injected page. The vulnerability has a risk score of 26 and is categorized as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has a base severity of MEDIUM, with low privileges required and user interaction required for exploitation. The impact on integrity and confidentiality is low, with no availability impact. The vulnerability can be remediated by updating the affected plugin to a version beyond 7.0.0.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.