CVE-2023-2757
HIGHWaiting: One-click countdowns <= 0.6.2 - Authenticated Cross-Site Scripting via saveLang Function
Title source: llmDescription
The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for subscriber-level attackers to access functions to save plugin data that can potentially lead to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References (3)
Core 3
Core References
Scores
CVSS v3
7.4
EPSS
0.0045
EPSS Percentile
36.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-862
Status
published
Products (2)
plugin/waiting
< 0.6.2
pluginbuilders/Waiting: One-click countdowns
< 0.6.2
Published
May 18, 2023
Tracked Since
Feb 18, 2026