CVE-2023-51513

Vulnerability

Overview

The Geo Controller plugin for WordPress (versions n/a through 8.5.2) contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user input during web page generation, allowing attacker-controlled data to be executed as JavaScript in the browser of a victim [1]. This type of DOM-based XSS occurs when client-side script processes untrusted input in an unsafe way, without server-side sanitization [1].

Exploitation

Exploitation requires user interaction—a privileged user (such as an administrator) must click a malicious link, visit a crafted page, or submit a specially designed form [1]. The attacker does not need direct network access to the server; the attack is delivered through the victim's browser. The vulnerability is classified as DOM-based, meaning the payload is processed entirely on the client side, bypassing server-side filters [1].

Impact

Successfully exploiting this XSS allows an attacker to inject arbitrary JavaScript code in the context of the victim's session. This could lead to arbitrary script execution, including redirecting users to malicious sites, injecting advertisements, stealing session cookies, or defacing the website [1]. Although the CVSS score is 6.5 (Medium), the vulnerability is noted as being used in mass-exploitiate] mass-exploit campaigns targeting thousands of websites regardless of traffic size [1].

Mitigation

The vendor has released version 8.5.3 which resolves the issue [1]. Users are strongly recommended to update immediately. Additionally, Patchstack provides a mitigation rule that blocks attacks until the update is applied, and auto-update for vulnerable plugins can be enabled for faster protection [1].