WordPress Plugin Vulnerabilities

WP-Matomo Integration (WP-Piwik) < 1.0.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The WP-Matomo Integration (WP-Piwik) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp-piwik' shortcode in versions up to, and including, 1.0.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
wp-piwik
Fixed in 1.0.29

References

CVE
CVE-2023-4774
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/faa4f041-4740-4ebb-afb3-10019ce571be

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
0054803b-e3e3-492d-9f32-9423223524e7

Timeline

Publicly Published
2023-09-21 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-20 (about 2 years ago)

Other

Published
Title
Published
2025-12-31
Title
Add Featured Image Custom Link <= 2.0.0 - Authenticated (Author+) Stored Cross-Site Scripting
Published
2023-01-20
Title
WPMobile.App < 11.14 - Contributor+ Stored XSS
Published
2024-08-07
Title
Xpro Elementor Addons < 1.4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-11
Title
WP Featured Screenshot <= 1.3 - Reflected Cross-Site Scripting
Published
2025-08-30
Title
ACF Recent Posts Widget <= 5.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting