CVE-2023-4294
URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer headerThe URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.
We have discovered 235 live websites that are affected by CVE-2023-4294.
Affected Software
| Product |  Url Shortify |
| Category | Wordpress Plugins |
| Vulnerable Domains | 235 live websites (5.12% of Url Shortify install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 32 versions ( 42% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Sep 11, 2023
- Updated - May 2, 2025
Credits
- Bartlomiej Marek and Tomasz Swiadek (finder)
- WPScan (coordinator)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2023-4294 United States | 61 websites |
 Germany | 34 websites |
 Spain | 18 websites |
 France | 16 websites |
 Iran | 8 websites |
 Russia | 8 websites |
 Italy | 8 websites |
 Poland | 7 websites |
 Brazil | 6 websites |
 Canada | 6 websites |
Website Distribution by TLD
Number of websites using CVE-2023-4294| .com | 105 websites |
| .de | 15 websites |
| .org | 14 websites |
| .net | 10 websites |
| .it | 5 websites |
| .ru | 5 websites |
| .at | 4 websites |
| .pl | 4 websites |
| .fr | 3 websites |
| .eu | 3 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-4294
Top websites that are affected by CVE-2023-4294. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.de | Germany | **,*** | |
| ******.com | Germany | ***,*** | |
| ***.tv | United States | ***,*** | |
| **************.pro | Poland | ***,*** | |
| ***********.com | Canada | ***,*** | |
| ************.*******.com | France | *,***,*** | |
| *******.de | Germany | *,***,*** | |
| ************.pl | Poland | *,***,*** | |
| *********.de | Germany | *,***,*** | |
| *****.md | United States | *,***,*** |
FAQ
CVE-2023-4294 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Url Shortify
A total of 235 websites have been identified as vulnerable to CVE-2023-4294, based on global website indexing conducted by WebTechSurvey.
The Url Shortify is affected by the CVE-2023-4294 vulnerability.
Url Shortify versions up to 1.7.6 are vulnerable to CVE-2023-4294.
CVE-2023-4294 is resolved in version 1.7.6 of Url Shortify.