|
[Japanese]
|
JVNDB-2023-000045
|
WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting
|
|
WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" provided by Vektor,Inc. contain multiple cross-site scripting vulnerabilities (CWE-79) listed below.- Cross-site scripting vulnerability in Tag edit function - CVE-2023-27923
- Cross-site scripting vulnerability in Post function - CVE-2023-27925
- Cross-site scripting vulnerability in Profile setting function - CVE-2023-27926
- Cross-site scripting vulnerability in CTA post function - CVE-2023-28367
apple502j reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-27925
|
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.5 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-27923
|
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-27926
|
CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity:
Base Metrics
3.5 (Low)
[IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: Single
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-28367
|
|
|
VECTOR INC.
- VK All in One Expansion Unit 9.88.1.0 and earlier - CVE-2023-27926,CVE-2023-28367
- VK Blocks 1.53.0.1 and earlier - CVE-2023-27923,CVE-2023-27925
- VK Blocks Pro 1.53.0.1 and earlier - CVE-2023-27923,CVE-2023-27925
|
|
|
- An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367
- An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926
|
|
[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the following versions that address these vulnerabilities.- VK Blocks 1.54.0.0 or later
- VK Blocks Pro 1.54.0.0 or later
- VK All in One Expansion Unit 9.88.2.0 or later
|
|
VECTOR INC.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2023-27923
- CVE-2023-27925
- CVE-2023-27926
- CVE-2023-28367
|
|
- JVN : JVN#95792402
|
|
- [2023/05/09]
Web page was published
|
