{"api_version":"1","generated_at":"2026-04-23T11:24:37+00:00","cve":"CVE-2023-2277","urls":{"html":"https://cve.report/CVE-2023-2277","api":"https://cve.report/api/cve/CVE-2023-2277.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-2277","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-2277"},"summary":{"title":"WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem","description":"The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2023-06-13 02:15:09","updated_at":"2026-04-08 18:17:59"},"problem_types":["CWE-352","CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"baseScore":6.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/application/views/wdk_resultitem/resultitem_edit.php#L34","name":"https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/application/views/wdk_resultitem/resultitem_edit.php#L34","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/82c6ed2f-20e8-46d1-a460-16d32b7536cd?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/82c6ed2f-20e8-46d1-a460-16d32b7536cd?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://plugins.trac.wordpress.org/changeset/2904689/wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php","name":"https://plugins.trac.wordpress.org/changeset/2904689/wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Release Notes"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-2277","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2277","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"wpdirectorykit","product":"WP Directory Kit","version":"affected 1.1.9 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2023-04-24T00:00:00.000Z","lang":"en","value":"Discovered"},{"source":"CNA","time":"2023-04-25T00:00:00.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2023-04-28T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"István Márton","lang":"en"}],"nvd_cpes":[{"cve_year":"2023","cve_id":"2277","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wpdirectorykit","cpe5":"wp_directory_kit","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-02T06:19:14.514Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/82c6ed2f-20e8-46d1-a460-16d32b7536cd?source=cve"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/application/views/wdk_resultitem/resultitem_edit.php#L34"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/2904689/wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2023-2277","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-12-03T16:36:02.888473Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-12-03T16:36:14.825Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"WP Directory Kit","vendor":"wpdirectorykit","versions":[{"lessThanOrEqual":"1.1.9","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"István Márton"}],"descriptions":[{"lang":"en","value":"The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link."}],"metrics":[{"cvssV3_1":{"baseScore":6.1,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-352","description":"CWE-352 Cross-Site Request Forgery (CSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:04:02.025Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/82c6ed2f-20e8-46d1-a460-16d32b7536cd?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/wpdirectorykit/tags/1.1.8/application/views/wdk_resultitem/resultitem_edit.php#L34"},{"url":"https://plugins.trac.wordpress.org/changeset/2904689/wpdirectorykit/trunk/application/controllers/Wdk_resultitem.php"}],"timeline":[{"lang":"en","time":"2023-04-24T00:00:00.000Z","value":"Discovered"},{"lang":"en","time":"2023-04-25T00:00:00.000Z","value":"Vendor Notified"},{"lang":"en","time":"2023-04-28T00:00:00.000Z","value":"Disclosed"}],"title":"WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2023-2277","datePublished":"2023-06-13T01:48:06.807Z","dateReserved":"2023-04-25T11:46:18.442Z","dateUpdated":"2026-04-08T17:04:02.025Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2023-06-13 02:15:09","lastModifiedDate":"2026-04-08 18:17:59","problem_types":["CWE-352","CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wpdirectorykit:wp_directory_kit:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"1.2.0","matchCriteriaId":"20BCF3D8-BEDB-4089-92A4-F68AF50B1C22"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2023","CveId":"2277","Ordinal":"1","Title":"WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored","CVE":"CVE-2023-2277","Year":"2023"},"notes":[{"CveYear":"2023","CveId":"2277","Ordinal":"1","NoteData":"The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.","Type":"Description","Title":"WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored"}]}}}