CVE-2023-6884
This plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on the 'place_id' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
We have discovered 7,813 live websites that are affected by CVE-2023-6884.
Affected Software
| Product | |
| Category | Wordpress Plugins |
| Vulnerable Domains | 7,813 live websites (38.14% of Google Reviews Widget install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 75 versions ( 74.26% of all versions) |
Details
- Published - Feb 5, 2024
- Updated - Aug 2, 2024
Credits
- Akbar Kustirama (finder)
CVE References
CVE-2023-6884 usage by Country
 United States | 2,904 websites |
 Germany | 853 websites |
 France | 698 websites |
 GB | 493 websites |
 Spain | 280 websites |
 Netherlands | 276 websites |
 Australia | 248 websites |
 Poland | 245 websites |
 Italy | 207 websites |
 Japan | 181 websites |
CVE-2023-6884 usage by TLD
| .com | 3,647 websites |
| .co.uk | 507 websites |
| .de | 414 websites |
| .fr | 384 websites |
| .com.au | 375 websites |
| .nl | 315 websites |
| .pl | 193 websites |
| .it | 170 websites |
| .es | 159 websites |
| .ca | 150 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-6884
Top websites that are affected by CVE-2023-6884. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.nl | Netherlands | **,*** | |
| ******.**.il |  Israel | **,*** | |
| **********.com | United States | **,*** | |
| ***********.com | United States | ***,*** | |
| ***********.ca |  Canada | ***,*** | |
| *****************.de | Germany | ***,*** | |
| ********.pl | Poland | ***,*** | |
| **********.se |  Sweden | ***,*** | |
| *****************.com | United States | ***,*** | |
| ***********.com | United States | ***,*** |
FAQ
A total of 7,813 websites have been identified as vulnerable to CVE-2023-6884, discovered through global website indexing conducted by WebTechSurvey.
Google Reviews Widget is susceptible to CVE-2023-6884 vulnerability.
Google Reviews Widget versions before, and including, 3.1 are vulnerable to CVE-2023-6884.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a8971d54-b54e-4e62-9db2-fa87d2564599?source=cve
- https://plugins.svn.wordpress.org/widget-google-reviews/tags/3.1/includes/class-feed-shortcode.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3018964%40widget-google-reviews&new=3018964%40widget-google-reviews&sfp_email=&sfph_mail=
- https://advisory.abay.sh/cve-2023-6884