CVE-2023-1282 - Vulnerability Details - OpenCVE

The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Codedropz	Drag And Drop Multiple File Upload - Contact Form 7

Configuration 1 [-]

OR	cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:::::standard:wordpress::
	cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:::::pro:wordpress::

No data.

References

Link	Providers
https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a
https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27

History

No history.

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2023-04-17T12:17:42.385Z

Updated: 2024-08-02T05:41:00.065Z

Reserved: 2023-03-08T20:34:25.298Z

Link: CVE-2023-1282

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-04-17T13:15:38.123

Modified: 2024-11-21T07:38:49.320

Link: CVE-2023-1282

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1282", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2023-03-08T20:34:25.298Z", "datePublished": "2023-04-17T12:17:42.385Z", "dateUpdated": "2024-08-02T05:41:00.065Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-04-17T12:17:42.385Z"}, "title": "Drag and Drop Multiple File Upload PRO - Reflected Cross-Site Scripting", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard", "versions": [{"status": "affected", "versionType": "custom", "version": "2.0.0", "lessThan": "2.11.1"}], "defaultStatus": "unaffected"}, {"vendor": "Unknown", "product": "Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations", "versions": [{"status": "affected", "versionType": "custom", "version": "5.0.0.0", "lessThan": "5.0.6.4"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins."}], "references": [{"url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a", "tags": ["exploit", "vdb-entry", "technical-description"]}, {"url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Alex Sanford", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:41:00.065Z"}, "title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:standard:wordpress:*:*", "matchCriteriaId": "C8B87F33-4286-4E32-99D3-A9B36571AF11", "versionEndExcluding": "2.11.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:pro:wordpress:*:*", "matchCriteriaId": "97A0A402-49FE-4103-A891-4D313F289667", "versionEndExcluding": "5.0.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins."}], "id": "CVE-2023-1282", "lastModified": "2024-11-21T07:38:49.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-17T13:15:38.123", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified"}