Login Sign Up

CVE-2023-34008

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

Unauthenticated reflected cross-site scripting (XSS) vulnerability in the weDevs WP ERP WordPress plugin allows attackers to inject malicious scripts into web pages viewed by users. This affects WordPress sites running WP ERP plugin version 1.12.3 and earlier. Attackers can execute arbitrary JavaScript in the context of the victim's browser session.

💻 Affected Systems

Products:
  • weDevs WP ERP WordPress plugin
Versions: <= 1.12.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects WordPress installations with the WP ERP plugin enabled. No special configuration required for exploitation.

📦 What is this software?

Wp Erp by Wedevs

View all CVEs affecting Wp Erp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of affected pages through script injection.

🟢

If Mitigated

Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS vulnerabilities are commonly exploited and require minimal technical skill. Attackers need to trick users into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/erp/wordpress-wp-erp-plugin-1-12-3-reflected-cross-site-scripting-xss-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP ERP' and click 'Update Now'. 4. Verify update to version 1.12.4 or later.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

Disable Plugin

linux

Temporarily disable WP ERP plugin until patched

wp plugin deactivate erp

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Restrict plugin access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP ERP version <= 1.12.3

Check Version:

wp plugin list --name=erp --field=version

Verify Fix Applied:

Confirm WP ERP plugin version is 1.12.4 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unusual GET/POST requests with script tags or JavaScript payloads in query parameters
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing <script>, javascript:, or encoded XSS payloads in URL parameters

SIEM Query:

source="web_server_logs" AND ("<script>" OR "javascript:" OR "%3Cscript%3E") AND uri_path="/wp-admin/admin.php"

📊 Metadata

CVE ID: CVE-2023-34008
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: August 30, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34008, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)