Threat Entry Updated 2024-08-19

CVE-2023-1604 - Shorten Url Plugin

The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configuration_page function. This makes it possible for unauthenticated attackers to add and import redirects, including comments containing cross-site scripting as detailed in CVE-2023-1602, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Shorten Url

CVE-2023-1604

MEDIUM CVSS 4.7 2024-08-17

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-1602 - Shorten Url Plugin

The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the 'comment' parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Shorten Url

CVE-2023-1602

MEDIUM CVSS 4.4 2023-06-29

Risk Score

Open Full Technical Breakdown