CVE-2023-4294

MEDIUM

URL Shortify < 1.7.6 - Unauthenticated Stored Cross-Site Scripting via Referer Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-4294. PoCs published by b0marek.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2023-4294, a stored XSS vulnerability in the URL Shortify WordPress plugin. It includes step-by-step reproduction instructions, exploit payload details, and references to external vulnerability databases.

Description

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.

Exploits (1)

nomisec WRITEUP
by b0marek · poc
https://github.com/b0marek/CVE-2023-4294

This repository provides a detailed technical writeup for CVE-2023-4294, a stored XSS vulnerability in the URL Shortify WordPress plugin. It includes step-by-step reproduction instructions, exploit payload details, and references to external vulnerability databases.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: URL Shortify WordPress plugin <= 1.7.5
No auth needed
Prerequisites: Access to a vulnerable WordPress instance with the URL Shortify plugin installed · Ability to send crafted HTTP requests with manipulated Referer headers
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/1fc71fc7-861a-46cc-a147-1c7ece9a7776

Scores

CVSS v3 6.1
EPSS 0.0073
EPSS Percentile 49.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

Status published
Products (1)
kaizencoders/url_shortify < 1.7.6
Published Sep 11, 2023
Tracked Since Feb 18, 2026