CVE-2023-49186

The vulnerability is a DOM-Based Cross-Site Scripting (XSS) in the Machic Core plugin for WordPress, affecting versions from n/a through 1.2.6. The root cause is improper neutralization of user input during web page generation, allowing an attacker to inject malicious scripts into the DOM of a victim's browser [1].

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. An attacker with basic privileges (e.g., subscriber) can initiate the attack, but the victim—typically a site visitor or admin—must perform an action for the payload to execute. The attack can be launched remotely without authentication, targeting any site running the vulnerable plugin [1].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, injection of advertisements, theft of sensitive data (e.g., cookies, form submissions), or defacement of the web page. The CVSS v3 base score is 7.1 (High), reflecting the potential for widespread impact due to the plugin's popularity [1].

As of the publication date, Patchstack has released a mitigation rule to block attacks until an official patch is available. Users are strongly advised to update the plugin to a patched version once released, or apply the mitigation rule. Site administrators should also educate users about the risk of clicking untrusted links [1].