CVE-2023-7084 (GCVE-0-2023-7084)
Vulnerability from cvelistv5 – Published: 2024-01-16 15:57 – Updated: 2025-06-20 17:23
VLAI?
Title
Voting Record <= 2.0 - Subscriber+ Stored XSS
Summary
The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks
Severity ?
5.4 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Voting Record |
Affected:
0 , ≤ 2.0
(semver)
|
Credits
Daniel Ruf
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:07.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/"
},
{
"tags": [
"x_transferred"
],
"url": "https://magos-securitas.com/txt/CVE-2023-7084.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-7084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-18T17:24:09.414304Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T17:23:27.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "affected",
"product": "Voting Record",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Ruf"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-05T21:23:01.742Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/"
},
{
"url": "https://magos-securitas.com/txt/CVE-2023-7084.txt"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Voting Record \u003c= 2.0 - Subscriber+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-7084",
"datePublished": "2024-01-16T15:57:03.277Z",
"dateReserved": "2023-12-22T19:02:36.893Z",
"dateUpdated": "2025-06-20T17:23:27.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:davidjmiller:voting_record:*:*:*:*:*:wordpress:*:*\", \"versionEndIncluding\": \"2.0\", \"matchCriteriaId\": \"5618CD85-545A-47B3-A1E9-13091C2C8EE9\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks\"}, {\"lang\": \"es\", \"value\": \"Al complemento Voting Record de WordPress hasta la versi\\u00f3n 2.0 le falta sanitizaci\\u00f3n y escape, lo que podr\\u00eda permitir a cualquier usuario autenticado, como un suscriptor, realizar ataques de XSS almacenado.\"}]",
"id": "CVE-2023-7084",
"lastModified": "2024-11-21T08:45:13.180",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
"published": "2024-01-16T16:15:14.023",
"references": "[{\"url\": \"https://magos-securitas.com/txt/CVE-2023-7084.txt\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/\", \"source\": \"contact@wpscan.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://magos-securitas.com/txt/CVE-2023-7084.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-7084\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2024-01-16T16:15:14.023\",\"lastModified\":\"2025-06-20T18:15:24.563\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks\"},{\"lang\":\"es\",\"value\":\"Al complemento Voting Record de WordPress hasta la versi\u00f3n 2.0 le falta sanitizaci\u00f3n y escape, lo que podr\u00eda permitir a cualquier usuario autenticado, como un suscriptor, realizar ataques de XSS almacenado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:davidjmiller:voting_record:*:*:*:*:*:wordpress:*:*\",\"versionEndIncluding\":\"2.0\",\"matchCriteriaId\":\"5618CD85-545A-47B3-A1E9-13091C2C8EE9\"}]}]}],\"references\":[{\"url\":\"https://magos-securitas.com/txt/CVE-2023-7084.txt\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/\",\"source\":\"contact@wpscan.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://magos-securitas.com/txt/CVE-2023-7084.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/\", \"tags\": [\"exploit\", \"vdb-entry\", \"technical-description\", \"x_transferred\"]}, {\"url\": \"https://magos-securitas.com/txt/CVE-2023-7084.txt\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T08:50:07.797Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-7084\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-01-18T17:24:09.414304Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-20T17:23:22.530Z\"}}], \"cna\": {\"title\": \"Voting Record \u003c= 2.0 - Subscriber+ Stored XSS\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Daniel Ruf\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"WPScan\"}], \"affected\": [{\"vendor\": \"Unknown\", \"product\": \"Voting Record\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.0\"}], \"collectionURL\": \"https://wordpress.org/plugins\", \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://wpscan.com/vulnerability/5e51e239-919b-4e74-a7ee-195f3817f907/\", \"tags\": [\"exploit\", \"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://magos-securitas.com/txt/CVE-2023-7084.txt\"}], \"x_generator\": {\"engine\": \"WPScan CVE Generator\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-79 Cross-Site Scripting (XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"shortName\": \"WPScan\", \"dateUpdated\": \"2024-02-05T21:23:01.742Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-7084\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-20T17:23:27.788Z\", \"dateReserved\": \"2023-12-22T19:02:36.893Z\", \"assignerOrgId\": \"1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81\", \"datePublished\": \"2024-01-16T15:57:03.277Z\", \"assignerShortName\": \"WPScan\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…