CVE-2023-2123

MEDIUM

WP Inventory Manager <2.1.0.13 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-2123. PoCs published by 0xn4d.

AI-analyzed exploit summary This repository contains a proof-of-concept for an unauthenticated reflected XSS vulnerability in the WP Inventory Manager plugin for WordPress. The exploit involves injecting an encoded JavaScript payload into the 'message' parameter of a URL, which executes when the page is loaded.

Description

The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

Exploits (1)

nomisec WORKING POC 2 stars
by 0xn4d · poc
https://github.com/0xn4d/poc-cve-xss-encoded-wp-inventory-manager-plugin

This repository contains a proof-of-concept for an unauthenticated reflected XSS vulnerability in the WP Inventory Manager plugin for WordPress. The exploit involves injecting an encoded JavaScript payload into the 'message' parameter of a URL, which executes when the page is loaded.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WP Inventory Manager Plugin 2.1.0.12 for WordPress
No auth needed
Prerequisites: Access to a WordPress site with the vulnerable plugin installed · Ability to manipulate URL parameters
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0116
EPSS Percentile 63.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (1)
wpinventory/wp_inventory_manager < 2.1.0.13
Published Aug 16, 2023
Tracked Since Feb 18, 2026