Security readout for executives and security teams
Plain-English summary
This affects WordPress sites running the eaSYNC plugin at or below version 1.3.7. An attacker could craft a link that runs script in a victim’s browser if clicked. That can expose data or influence actions in that browser context. No provided source confirms active exploitation.
Executive priority
Treat as high priority for WordPress estates using eaSYNC, especially sites with admin users frequently accessing emailed links. This is not confirmed exploited in the supplied sources, but public-facing WordPress XSS can become operationally disruptive if left unresolved.
Technical view
CVE-2023-38384 is an unauthenticated reflected XSS issue in Syntactics eaSYNC for WordPress, mapped to CWE-79. CVSS 3.1 is 7.1 with network access, low complexity, no privileges, required user interaction, and changed scope. Sources do not name a fixed version or detailed affected endpoint.
Likely exposure
Exposure is likely limited to public WordPress sites with the eaSYNC or easync-booking plugin installed at affected versions. The source bundle says <=1.3.7, while the Patchstack URL references 1.3.6, so confirm locally.
Exploitation context
The CVE is not listed as KEV in the supplied data. Exploitation requires user interaction, typically persuading a user to open a crafted link. The impact is browser-context confidentiality, integrity, and availability, not direct server takeover based on the supplied sources.
Researcher notes
The source evidence establishes unauthenticated reflected XSS and CVSS 7.1, but lacks endpoint detail, exploit evidence, and fixed-version detail. Note the version inconsistency between the CVE description and Patchstack URL before making final exposure calls.
Mitigation direction
- Inventory WordPress sites for the eaSYNC or easync-booking plugin.
- Check installed plugin versions against the CVE and Patchstack advisory.
- Review Syntactics and Patchstack guidance for a fixed version or vendor workaround.
- Disable or remove the plugin where business use is not required.
- Prioritize admin-user awareness until remediation is confirmed.
Validation and detection
- Confirm whether each WordPress instance has eaSYNC installed.
- Record the installed plugin version for vulnerability tracking.
- Check whether Patchstack or vendor guidance identifies a fixed release.
- Review web logs for unusual requests involving eaSYNC paths or parameters.
- Validate remediation by confirming the plugin is updated, disabled, or removed.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2023-38384 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- High
- CVSS
- 7.1 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L2.83.7Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
7.1HighVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Source materials
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
