CVE-2023-2757

HIGH

Waiting: One-click countdowns <= 0.6.2 - Authenticated Cross-Site Scripting via saveLang Function

Title source: llm
STIX 2.1

Description

The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on 'saveLang' functions in versions up to, and including, 0.6.2. This could lead to Cross-Site Scripting due to insufficient input sanitization and output escaping. This makes it possible for subscriber-level attackers to access functions to save plugin data that can potentially lead to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Scores

CVSS v3 7.4
EPSS 0.0045
EPSS Percentile 36.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79 CWE-862
Status published
Products (2)
plugin/waiting < 0.6.2
pluginbuilders/Waiting: One-click countdowns < 0.6.2
Published May 18, 2023
Tracked Since Feb 18, 2026