CVE-2023-35883
Core Web Vitals & PageSpeed Booster <= 1.0.12 - Open Redirect via _wp_http_referer
mediumURL Redirection to Untrusted Site ('Open Redirect')
4.7
CVSS Score
4.7
CVSS Score
medium
Severity
1.0.13
Patched in
218d
Time to patch
Description
The Core Web Vitals & PageSpeed Booster plugin for WordPress is vulnerable to Open Redirect in versions up to, and including, 1.0.12. This is due to insufficient validation on the redirect url supplied via the _wp_http_referer parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NAttack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
None
Confidentiality
Low
Integrity
None
Availability
Technical Details
Affected versions
<=1.0.12PublishedJune 19, 2023
Last updatedJanuary 22, 2024
Affected plugincore-web-vitals-pagespeed-booster
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.