The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited.
History

Thu, 26 Sep 2024 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Instawp
Instawp string Locator
CPEs cpe:2.3:a:instawp:string_locator:*:*:*:*:*:wordpress:*:*
Vendors & Products Instawp
Instawp string Locator

Mon, 26 Aug 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 24 Aug 2024 02:15:00 +0000

Type Values Removed Values Added
Description The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited.
Title String Locator <= 2.6.5 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-08-24T02:02:28.310Z

Updated: 2024-08-26T15:51:18.418Z

Reserved: 2023-12-20T09:22:29.031Z

Link: CVE-2023-6987

cve-icon Vulnrichment

Updated: 2024-08-26T15:51:11.520Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-24T02:15:04.267

Modified: 2024-09-26T22:34:54.020

Link: CVE-2023-6987

cve-icon Redhat

No data.