CVE-2023-54358

Vulnerability

Overview

CVE-2023-54358 describes a reflected cross-site scripting (XSS) vulnerability in the WordPress adivaha Travel Plugin version 2.3. The root cause is improper neutralization of user-supplied input in the isMobile GET parameter at the /mobile-app/v3/ endpoint. This allows an unauthenticated attacker to inject arbitrary JavaScript code that is reflected back to the victim's browser.[1][3][4]

Exploitation

Conditions

An attacker can craft a malicious URL containing a JavaScript payload in the isMobile parameter and deliver it to a victim via email, instant message, or other means. No special prerequisites such as authentication or specific user permissions are required, making the attack surface broad. The victim merely needs to click the crafted link while logged into a WordPress site running the vulnerable plugin version.[3][4]

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser in the context of the vulnerable plugin's page. This can be leveraged to steal session tokens, login credentials, or perform other actions on behalf of the victim within the WordPress application. The CVSS v3 base score of 6.1 (Medium) reflects the need for user interaction, but the attack can lead to significant compromise of the victim's account and data.[1][3][4]

Mitigation

Status

At the time of publication, a patched version has not been confirmed; users should apply vendor updates when available. Considering the low complexity of exploitation and availability of a public exploit, organizations using security plugins that filter GET parameters or a WAF until a fix is deployed.[4]