CVE-2023-4648
The WP Customer Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
We have discovered 587 live websites that are affected by CVE-2023-4648.
Affected Software
| Product |  WP Customer Reviews |
| Category | Wordpress Plugins |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 46 |
| Vulnerable Domains | 587 live websites (59.65% of WP Customer Reviews install base) |
Distribution by Website Rank
The diagram provides a graphic representation of the correlation between the occurrence of CVE-2023-4648 and the relative popularity of websitesDetails
- Published - Oct 20, 2023
- Updated - Oct 20, 2023
Credits
- Marco Wotschka (finder)
CVE References
CWE References
Countries
 United States | 282 websites |
 GB | 49 websites |
 Russia | 42 websites |
 Japan | 41 websites |
 Germany | 26 websites |
 France | 26 websites |
 Netherlands | 17 websites |
 Italy | 11 websites |
 Australia | 10 websites |
 Canada | 9 websites |
TLDs
| .com | 339 websites |
| .ru | 37 websites |
| .co.uk | 34 websites |
| .org | 25 websites |
| .net | 20 websites |
| .nl | 14 websites |
| .jp | 11 websites |
| .fr | 11 websites |
| .de | 9 websites |
| .it | 8 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redGeographical Distribution
The distribution of websites across the globe that are exposed to CVE-2023-4648 through included software libraries and plugins.References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f81950be-de32-4fa1-94fe-42667414fe2d?source=cve
- https://plugins.trac.wordpress.org/changeset/2965658/wp-customer-reviews/trunk?contextall=1&old=2882143&old_path=%2Fwp-customer-reviews%2Ftrunk
Websites affected by CVE-2023-4648
Top websites that are affected by CVE-2023-4648. Please click on the "Contact us" button above to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********************.com | United States | **,*** | |
| ***.**********************.com | United States | ***,*** | |
| ***.******************.com | United States | ***,*** | |
| ******.com | United States | ***,*** | |
| ******.nl | Netherlands | ***,*** | |
| ***.************.com | Germany | ***,*** | |
| **************.org | United States | ***,*** | |
| ******************.com | Japan | ***,*** | |
| **********.de | Germany | ***,*** | |
| ****************.com | United States | ***,*** |