CVE-2023-2362

Summary

The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects WordPress plugin before 5.2.2, Popup Box WordPress plugin before 2.2.2, Side Menu Lite WordPress plugin before 4.0.2, Sticky Buttons WordPress plugin before 3.1.1, Wow Skype Buttons WordPress plugin before 4.0.2, WP Coder WordPress plugin before 2.5.6 do not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Affected Software

VendorProductVersion RangeStatus
UnknownFloat menu0 < 5.0.2affected
UnknownBubble Menu0 < 3.0.4affected
UnknownButton Generator0 < 2.3.5affected
UnknownCalculator Builder0 < 1.5.1affected
UnknownCounter Box0 < 1.2.2affected
UnknownFloating Button0 < 5.3.1affected
UnknownHerd Effects0 < 5.2.2affected
UnknownPopup Box0 < 2.2.2affected
UnknownSide Menu Lite0 < 4.0.2affected
UnknownSticky Buttons0 < 3.1.1affected
UnknownWow Skype Buttons0 < 4.0.2affected
UnknownWP Coder0 < 2.5.6affected

Weaknesses

  • CWE-79 Cross-Site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References