CVE-2023-53953
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-19

Last updated on: 2025-12-27

Assigner: VulnCheck

Description
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53953
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
websitebaker websitebaker 2.13.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-53953 is a stored cross-site scripting (XSS) vulnerability in WebsiteBaker version 2.13.3. It allows authenticated users with page creation privileges to inject malicious JavaScript code into the titles of web pages they create. When other users view these pages, the malicious scripts execute in their browsers. This happens because the application does not properly sanitize user input during page creation, enabling attackers to embed harmful scripts that run in the context of the victim's browser. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized actions or data exposure for users who view the maliciously crafted pages. Since the injected scripts execute in the context of the victim's browser, attackers could potentially steal session cookies, perform actions on behalf of the user, or manipulate the content displayed. The impact is considered low to moderate, with a CVSS v4 base score of 5.1 and v3.1 score of 6.4, indicating some risk but limited severity. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious scripts injected into page titles via the page creation functionality. One way to detect it is to monitor POST requests to the endpoint `/admin/pages/add.php` with suspicious payloads in the `title` parameter, such as HTML tags with event handlers (e.g., `<img src=x onerror=alert(1)>`). Network monitoring tools or web application firewalls can be configured to log or alert on such requests. Additionally, reviewing the stored page titles in the database for suspicious JavaScript code can help identify exploitation. Specific commands depend on your environment, but for example, using curl to simulate the exploit POST request can help verify vulnerability: `curl -X POST -d "title=<img src=x onerror=alert(1)>" -b cookies.txt https://yourwebsite/admin/pages/add.php` (assuming authentication cookies are stored in cookies.txt). [1]

Mitigation Strategies

Immediate mitigation steps include restricting page creation privileges to trusted users only, as the vulnerability requires authenticated users with page creation rights. Additionally, implement input sanitization and validation on the `title` parameter to prevent injection of malicious scripts. Applying any available patches or updates from the vendor is recommended once released. In the meantime, monitoring and blocking suspicious POST requests to `/admin/pages/add.php` can reduce exploitation risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart