{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-6164", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-11-15T18:33:03.654Z", "datePublished": "2023-11-22T15:33:28.411Z", "dateUpdated": "2026-04-08T17:00:57.400Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:57.400Z"}, "affected": [{"vendor": "mainwp", "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the \u2018newColor\u2019 parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags."}], "title": "MainWP Dashboard <= 4.5.1.2 - Authenticated(Administrator+) CSS Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "cweId": "CWE-74", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.2, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "H\u00fcseyin TINTA\u015e"}], "timeline": [{"time": "2023-10-20T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.824Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mainwp:mainwp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5022351F-FCEE-4A33-886C-40544C432C0D", "versionEndIncluding": "4.5.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the \u2018newColor\u2019 parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags."}, {"lang": "es", "value": "El complemento MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance para WordPress es vulnerable a la inyecci\u00f3n de CSS a trav\u00e9s del par\u00e1metro 'newColor' en todas las versiones hasta la 4.5.1.2 incluida debido a una sanitizaci\u00f3n de entrada insuficiente. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten valores CSS arbitrarios en las etiquetas del sitio."}], "id": "CVE-2023-6164", "lastModified": "2026-04-08T18:18:35.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-22T16:15:15.970", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{}