CVE-2023-2113


Autoptimize < 3.1.7 - Admin+ Stored Cross-Site Scripting via Settings Import

The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is disabled, such as in a multisite setup.


We have discovered 9,625 live websites that are affected by CVE-2023-2113.

Contact us to get more info



Affected Software

Product  Autoptimize
Category Widgets
Vulnerable Versions
  • from 0 before 3.1.7
Total Vulnerable Versions1,307
Vulnerable Domains9,625 live websites (12.96% of Autoptimize install base)


Common Weakness Enumeration


CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



Details

  • Published - May 30, 2023
  • Updated - May 30, 2023

Credits

  • Juampa Rodríguez (finder)
  • WPScan (coordinator)





Countries

United States2,450 websites


Germany1,182 websites
Japan612 websites
Russia546 websites
Poland463 websites
GB457 websites
France437 websites
Canada322 websites
Spain291 websites
Italy289 websites

TLDs

.com3,940 websites
.de745 websites
.org449 websites
.ru431 websites
.pl319 websites
.net242 websites
.co.uk242 websites
.it197 websites
.fr181 websites
.jp178 websites

Vulnerable Versions

Vulnerable versions are highlighted in red


References


Websites affected by CVE-2023-2113

Top websites that are affected by CVE-2023-2113. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
***.**********.com United States***
************.com United States*,***
***.******.com United States*,***
***.****.de Germany*,***
**************.de Germany**,***
***.**********.com United States**,***
***.***********.org United States**,***
***.******.com United States**,***
*********.com United States**,***
******.com India**,***
See full domain list