CVE-2023-54358: WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile
WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials.
Security readout for executives and security teams
Plain-English summary
This is a reflected cross-site scripting issue in the WordPress adivaha Travel Plugin 2.3. An attacker could lure a user to a crafted link and run script in that user’s browser. The main business risk is session or credential theft on affected WordPress sites.
Executive priority
Treat this as a moderate web risk. It is not confirmed as actively exploited in the supplied sources, but public exploit information and possible credential theft justify timely inventory, vendor-guidance review, and removal or update of affected deployments.
Technical view
CVE-2023-54358 is CWE-79 reflected XSS in the isMobile GET parameter on the /mobile-app/v3/ endpoint. The bundle reports unauthenticated injection, CVSS 3.1 score 6.1, network attack vector, low complexity, and required user interaction. Only version 2.3 is identified as affected.
Likely exposure
Exposure appears limited to public WordPress sites running adivaha Travel Plugin version 2.3. The provided sources do not confirm broader version ranges, fixed versions, or affected CPEs, so asset validation should focus on plugin presence and exact version.
Exploitation context
The source bundle includes an ExploitDB reference, indicating public exploit information exists. The CVE is not listed as KEV in the bundle, and no cited source states active exploitation. Practical exploitation still requires a victim to interact with a malicious URL.
Researcher notes
Evidence is sufficient for affected product, version 2.3, parameter, endpoint, weakness class, and CVSS context. Evidence is incomplete for patch availability, fixed version, active exploitation, plugin install prevalence, and whether adjacent versions are vulnerable.
Mitigation direction
Inventory WordPress sites for adivaha Travel Plugin version 2.3.
Check Adivaha and WordPress plugin pages for fixed releases or vendor mitigation.
Disable or remove the plugin where business use is not required.
Review WAF or browser-side controls for reflected XSS reduction.
Prioritize administrator and editor accounts for phishing-resistant authentication.
Validation and detection
Confirm whether the plugin is installed on each WordPress site.
Record the exact installed plugin version and compare against version 2.3.
Review web access logs for requests to /mobile-app/v3/ using isMobile.
Check vendor and WordPress plugin pages for current security guidance.
Verify compensating controls without using live exploit payloads.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.