CVE-2023-6164 - Vulnerability Details - OpenCVE

The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mainwp	Mainwp

Configuration 1 [-]

cpe:2.3:a:mainwp:mainwp:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve

History

Wed, 08 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title		MainWP Dashboard <= 4.5.1.2 - Authenticated(Administrator+) CSS Injection
Weaknesses		CWE-74

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-11-22T15:33:28.411Z

Updated: 2026-04-08T17:00:57.400Z

Reserved: 2023-11-15T18:33:03.654Z

Link: CVE-2023-6164

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-22T16:15:15.970

Modified: 2026-04-08T18:18:35.137

Link: CVE-2023-6164

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-6164", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-11-15T18:33:03.654Z", "datePublished": "2023-11-22T15:33:28.411Z", "dateUpdated": "2026-04-08T17:00:57.400Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:57.400Z"}, "affected": [{"vendor": "mainwp", "product": "MainWP Dashboard: Self-hosted WordPress Management for Agencies", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the \u2018newColor\u2019 parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags."}], "title": "MainWP Dashboard <= 4.5.1.2 - Authenticated(Administrator+) CSS Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "cweId": "CWE-74", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.2, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "H\u00fcseyin TINTA\u015e"}], "timeline": [{"time": "2023-10-20T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.824Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mainwp:mainwp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5022351F-FCEE-4A33-886C-40544C432C0D", "versionEndIncluding": "4.5.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the \u2018newColor\u2019 parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags."}, {"lang": "es", "value": "El complemento MainWP Dashboard \u2013 WordPress Manager for Multiple Websites Maintenance para WordPress es vulnerable a la inyecci\u00f3n de CSS a trav\u00e9s del par\u00e1metro 'newColor' en todas las versiones hasta la 4.5.1.2 incluida debido a una sanitizaci\u00f3n de entrada insuficiente. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten valores CSS arbitrarios en las etiquetas del sitio."}], "id": "CVE-2023-6164", "lastModified": "2026-04-08T18:18:35.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.2, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-22T16:15:15.970", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?old_path=/mainwp/tags/4.5.1.2&old=2996628&new_path=/mainwp/tags/4.5.1.3&new=2996628&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73980a90-bb17-46e4-a0ea-691f80500fe3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}