CVE-2023-1282 - Vulnerability Details - OpenCVE

The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Codedropz	Drag And Drop Multiple File Upload - Contact Form 7

Configuration 1 [-]

OR	cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:::::standard:wordpress::
	cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:::::pro:wordpress::

No data.

References

Link	Providers
https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a
https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27

History

Thu, 06 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2023-04-17T12:17:42.385Z

Updated: 2025-02-06T15:28:52.381Z

Reserved: 2023-03-08T20:34:25.298Z

Link: CVE-2023-1282

Vulnrichment

Updated: 2024-08-02T05:41:00.065Z

NVD

Status : Modified

Published: 2023-04-17T13:15:38.123

Modified: 2025-02-06T16:15:32.460

Link: CVE-2023-1282

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1282", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2023-03-08T20:34:25.298Z", "datePublished": "2023-04-17T12:17:42.385Z", "dateUpdated": "2025-02-06T15:28:52.381Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-04-17T12:17:42.385Z"}, "title": "Drag and Drop Multiple File Upload PRO - Reflected Cross-Site Scripting", "problemTypes": [{"descriptions": [{"description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard", "versions": [{"status": "affected", "versionType": "custom", "version": "2.0.0", "lessThan": "2.11.1"}], "defaultStatus": "unaffected"}, {"vendor": "Unknown", "product": "Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations", "versions": [{"status": "affected", "versionType": "custom", "version": "5.0.0.0", "lessThan": "5.0.6.4"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins."}], "references": [{"url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a", "tags": ["exploit", "vdb-entry", "technical-description"]}, {"url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Alex Sanford", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:41:00.065Z"}, "title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-06T15:28:26.180084Z", "id": "CVE-2023-1282", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T15:28:52.381Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27", "tags": ["exploit", "vdb-entry", "technical-description", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:41:00.065Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-1282", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-06T15:28:26.180084Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-06T15:28:22.592Z"}}], "cna": {"title": "Drag and Drop Multiple File Upload PRO - Reflected Cross-Site Scripting", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Alex Sanford"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard", "versions": [{"status": "affected", "version": "2.0.0", "lessThan": "2.11.1", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Unknown", "product": "Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations", "versions": [{"status": "affected", "version": "5.0.0.0", "lessThan": "5.0.6.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a", "tags": ["exploit", "vdb-entry", "technical-description"]}, {"url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-79 Cross-Site Scripting (XSS)"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2023-04-17T12:17:42.385Z"}}}, "cveMetadata": {"cveId": "CVE-2023-1282", "state": "PUBLISHED", "dateUpdated": "2025-02-06T15:28:52.381Z", "dateReserved": "2023-03-08T20:34:25.298Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2023-04-17T12:17:42.385Z", "assignerShortName": "WPScan"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:standard:wordpress:*:*", "matchCriteriaId": "C8B87F33-4286-4E32-99D3-A9B36571AF11", "versionEndExcluding": "2.11.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:codedropz:drag_and_drop_multiple_file_upload_-_contact_form_7:*:*:*:*:pro:wordpress:*:*", "matchCriteriaId": "97A0A402-49FE-4103-A891-4D313F289667", "versionEndExcluding": "5.0.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins."}], "id": "CVE-2023-1282", "lastModified": "2025-02-06T16:15:32.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-04-17T13:15:38.123", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/8a9548c5-59ea-46b0-bfa5-a0f7a259351a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/f4b2617f-5235-4587-9eaf-d0f6bb23dc27"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified"}