{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38000", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2023-07-11T12:50:13.630Z", "datePublished": "2023-10-13T09:55:54.690Z", "dateUpdated": "2024-08-02T17:23:27.829Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WordPress", "vendor": "WordPress.org", "versions": [{"changes": [{"at": "6.3.2", "status": "unaffected"}], "lessThanOrEqual": "6.3.1", "status": "affected", "version": "6.3", "versionType": "custom"}, {"changes": [{"at": "6.2.3", "status": "unaffected"}], "lessThanOrEqual": "6.2.2", "status": "affected", "version": "6.2", "versionType": "custom"}, {"changes": [{"at": "6.1.4", "status": "unaffected"}], "lessThanOrEqual": "6.1.3", "status": "affected", "version": "6.1", "versionType": "custom"}, {"changes": [{"at": "6.0.6", "status": "unaffected"}], "lessThanOrEqual": "6.0.5", "status": "affected", "version": "6.0", "versionType": "custom"}, {"changes": [{"at": "5.9.8", "status": "unaffected"}], "lessThanOrEqual": "5.9.7", "status": "affected", "version": "5.9", "versionType": "custom"}]}, {"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "gutenberg", "product": "Gutenberg", "vendor": "Gutenberg Team", "versions": [{"changes": [{"at": "16.8.1", "status": "unaffected"}], "lessThanOrEqual": "16.8.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Rafie Muhammad (Patchstack)"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Edouard Lamoine (Patchstack)"}], "datePublic": "2023-10-13T05:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core&nbsp;<span style=\"background-color: var(--wht);\">6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin &lt;= 16.8.0 versions.</span>"}], "value": "Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core\u00a06.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2023-10-13T10:34:00.870Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"}, {"tags": ["vdb-entry"], "url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}, {"tags": ["vdb-entry"], "url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update WordPress core to the 6.3.2,&nbsp;6.2.3,&nbsp;6.1.4,&nbsp;6.0.6,&nbsp;5.9.8 or a higher version."}], "value": "Update WordPress core to the 6.3.2,\u00a06.2.3,\u00a06.1.4,\u00a06.0.6,\u00a05.9.8 or a higher version."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update&nbsp;Gutenberg to&nbsp;16.8.1 or a higher version."}], "value": "Update\u00a0Gutenberg to\u00a016.8.1 or a higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "Auth. Stored Cross-Site Scripting (XSS) vulnerability in WordPress core and Gutenberg plugin via Navigation Links Block", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.829Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "51D5D6E9-387D-4A4B-A613-0E0B9D74B8F1", "versionEndIncluding": "5.9.7", "versionStartIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D0A0B36-9A2F-415A-A404-EE0FF6BC63A3", "versionEndIncluding": "6.0.5", "versionStartIncluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "A85EAB94-7EE7-4B4D-82E6-132FCF8662C4", "versionEndIncluding": "6.1.3", "versionStartIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "B55FDB69-E699-43A1-8575-52E0B33F8863", "versionEndIncluding": "6.2.2", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "matchCriteriaId": "0AD6301C-56F8-4F1E-8792-B5A6160403DA", "versionEndIncluding": "6.3.1", "versionStartIncluding": "6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:gutenberg:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D3E2C523-266B-4E49-93FA-6EF0195309B7", "versionEndIncluding": "16.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core\u00a06.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions."}, {"lang": "es", "value": "Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de colaboradores o superiores) almacenada en WordPress core 6.3 a 6.3.1, de 6.2 a 6.2.2, de 6.1 a 6.1.3, de 6.0 a 6.0.5, de 5.9 a 5.9.7 y versiones del complemento Gutenberg en versiones &lt;=  16.8.0."}], "id": "CVE-2023-38000", "lastModified": "2024-11-21T08:12:40.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-13T10:15:09.823", "references": [{"source": "audit@patchstack.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"}, {"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}, {"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://patchstack.com/articles/wordpress-core-6-3-2-security-update-technical-advisory?_s_id=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/gutenberg/wordpress-gutenberg-plugin-16-8-0-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/wordpress/wordpress-core-6-3-2-contributor-stored-xss-in-navigation-links-block-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}