JVN#95792402
WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting

Overview

WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" contain multiple cross-site scripting vulnerabilities.

Products Affected

CVE-2023-27923, CVE-2023-27925

• VK Blocks 1.53.0.1 and earlier
• VK Blocks Pro 1.53.0.1 and earlier

• VK All in One Expansion Unit 9.88.1.0 and earlier

Description

WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" provided by Vektor,Inc. contain multiple cross-site scripting vulnerabilities (CWE-79) listed below.

• Cross-site scripting vulnerability in Tag edit function - CVE-2023-27923

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
  CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

• Cross-site scripting vulnerability in Post function - CVE-2023-27925

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
  CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

• Cross-site scripting vulnerability in Profile setting function - CVE-2023-27926

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
  CVSS v2	AV:N/AC:L/Au:S/C:N/I:P/A:N	Base Score: 4.0

• Cross-site scripting vulnerability in CTA post function - CVE-2023-28367

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
  CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

Impact

• An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367
• An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926

Solution

Update the plugin
Update the plugin according to the information provided by the developer.
The developer has released the following versions that address these vulnerabilities.

• VK Blocks 1.54.0.0 or later
• VK Blocks Pro 1.54.0.0 or later
• VK All in One Expansion Unit 9.88.2.0 or later