← back
CVE-2023-4294

URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header

CVSS 6.1 MEDIUMEPSS 0.7%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Sep 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products
Unknown · URL Shortify