Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:95792402
HistoryMay 09, 2023 - 12:00 a.m.

JVN#95792402: WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting

2023-05-0900:00:00
Japan Vulnerability Notes
jvn.jp
18
wordpress
vk blocks
vk all in one expansion unit
cross-site scripting
cve-2023-27923
cve-2023-27925
cve-2023-27926
cve-2023-28367
update plugin

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

44.5%

JSON

WordPress Plugin “VK Blocks” and “VK All in One Expansion Unit” provided by Vektor,Inc. contain multiple cross-site scripting vulnerabilities (CWE-79) listed below.

Cross-site scripting vulnerability in Tag edit function - CVE-2023-27923

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5

Cross-site scripting vulnerability in Post function - CVE-2023-27925

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0

Cross-site scripting vulnerability in Profile setting function - CVE-2023-27926

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0

Cross-site scripting vulnerability in CTA post function - CVE-2023-28367

Version Vector Score
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4
CVSS v2 AV:N/AC:M/Au:S/C:N/I:P/A:N Base Score: 3.5

Impact

  • An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367
  • An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the following versions that address these vulnerabilities.

  • VK Blocks 1.54.0.0 or later
  • VK Blocks Pro 1.54.0.0 or later
  • VK All in One Expansion Unit 9.88.2.0 or later

Products Affected

CVE-2023-27923, CVE-2023-27925

  • VK Blocks 1.53.0.1 and earlier

  • VK Blocks Pro 1.53.0.1 and earlier
    CVE-2023-27926, CVE-2023-28367

  • VK All in One Expansion Unit 9.88.1.0 and earlier

Related

wpvulndb 2
cve 4
osv 2
cvelist 4
prion 4
nvd 4
wordfence 1
wpvulndb
wpvulndb
VK Blocks < 1.54.0 - Multiple Stored XSS
2023-05-09 00:00:00
VK All in One Expansion Unit < 9.88.2 - Multiple Stored XSS
2023-05-09 00:00:00
cve
cve
CVE-2023-27926
2023-05-23 02:15:10
CVE-2023-28367
2023-05-23 02:15:10
CVE-2023-27923
2023-05-23 02:15:09
osv
osv
CVE-2023-27925
2023-05-23 02:15:09
CVE-2023-27923
2023-05-23 02:15:09
cvelist
cvelist
CVE-2023-27926
2023-05-23 00:00:00
CVE-2023-27923
2023-05-23 00:00:00
CVE-2023-27925
2023-05-23 00:00:00
prion
prion
Cross site scripting
2023-05-23 02:15:00
Cross site scripting
2023-05-23 02:15:00
Cross site scripting
2023-05-23 02:15:00
nvd
nvd
CVE-2023-28367
2023-05-23 02:15:10
CVE-2023-27926
2023-05-23 02:15:10
CVE-2023-27923
2023-05-23 02:15:09
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 8, 2023 to May 14, 2023)
2023-05-18 12:45:54

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

44.5%

JSON
Related for JVN:95792402
wpvulndb2cve4osv2cvelist4prion4nvd4wordfence1