What the vulnerability does
01Description
When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login.
CVE-2023-28800
HIGH
CVE-2023-28800: Output encoding missing in redrurl parameter
CVSS base score
8.1/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Key dates
02Disclosure timeline
June 22, 2023
CVE published
December 6, 2024
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2025-0795 ESAFENET CDG todolistjump.jsp cross site scripting
CVE-2021-34666 Add Sidebar <= 2.0.0 Reflected Cross-Site Scripting
CVE-2024-51813 WordPress Anant Addons for Elementor plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability
CVE-2024-51783 WordPress Forms: 3rd-Party Post Again plugin <= 0.3 - Reflected Cross Site Scripting (XSS) vulnerability
CVE-2024-44039 WordPress WP Travel plugin <= 9.3.1 - Cross Site Scripting (XSS) vulnerability
