LOWCVE-2023-5013CVSS 2.6

CVE-2023-5013: XSS in Pluck CMS 4.7.18

Platform

php

Component

vuls

Fixed in

4.7.19

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2023-5013 is a problematic cross-site scripting (XSS) vulnerability discovered in Pluck CMS versions 4.7.18. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the installation handler (install.php) and is addressed in version 4.7.19.

Impact and Attack Scenarios

Successful exploitation of CVE-2023-5013 allows an attacker to inject arbitrary JavaScript code into the Pluck CMS application. This can lead to a variety of malicious actions, including stealing user cookies, redirecting users to phishing sites, or defacing the website. The attack is remotely exploitable, meaning an attacker does not need to be on the same network as the CMS. While the complexity of the attack is considered high, the public disclosure of the vulnerability increases the risk of exploitation, particularly if users have not yet applied the patch.

Exploitation Context

CVE-2023-5013 was publicly disclosed on September 16, 2023. The vulnerability is considered to have a low CVSS score of 2.6. A public proof-of-concept may exist, increasing the likelihood of exploitation. It is recommended to prioritize patching to mitigate the risk.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.07% (22% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentvuls

VendorPluck

Affected rangeFixed in

4.7.18 – 4.7.184.7.19

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2023-09-16
Published2023-09-16
Modified2024-08-02
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2023-5013 is to upgrade Pluck CMS to version 4.7.19 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the contents parameter in install.php to prevent the injection of malicious scripts. While a Web Application Firewall (WAF) might offer some protection, it is not a substitute for patching the vulnerable software. After upgrading, verify the fix by attempting to inject a simple JavaScript payload into the contents parameter of install.php and confirming that it is properly sanitized.

How to fix

Actualice Pluck CMS a una versión posterior a la 4.7.18 que haya solucionado la vulnerabilidad XSS en el archivo install.php. Si no hay una versión disponible, considere aplicar un parche manual al archivo install.php para filtrar o escapar la entrada del usuario en el parámetro 'contents'.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2023-5013 — XSS in Pluck CMS?

CVE-2023-5013 is a cross-site scripting (XSS) vulnerability in Pluck CMS versions 4.7.18, allowing attackers to inject malicious scripts.

Am I affected by CVE-2023-5013 in Pluck CMS?

You are affected if you are using Pluck CMS version 4.7.18. Upgrade to 4.7.19 or later to mitigate the risk.

How do I fix CVE-2023-5013 in Pluck CMS?

Upgrade Pluck CMS to version 4.7.19 or later. Implement input validation and sanitization on the contents parameter in install.php as a temporary workaround.

Is CVE-2023-5013 being actively exploited?

While active exploitation is not confirmed, the public disclosure of the vulnerability increases the risk of exploitation.

Where can I find the official Pluck CMS advisory for CVE-2023-5013?

Refer to the Pluck CMS website or security advisories for the official advisory regarding CVE-2023-5013.