WordPress Plugin Vulnerabilities

WP Shopping Pages <= 1.14 - Stored XSS via CSRF

Description

The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

Proof of Concept

Affects Plugins

Plugin icon
shopping-pages
No known fix

References

CVE
CVE-2023-3492

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Katharina Altmann
Submitter
Katharina Altmann
Verified
Yes
WPVDB ID
01b9b1c2-439e-44df-bf01-026cb13d7d40

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-07-17 (about 2 years ago)
Last Updated
2023-07-17 (about 2 years ago)

Other

Published
Title
Published
2025-11-03
Title
Label Plugins <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-01-06
Title
Altra Side Menu <= 2.0 - Abitrary Menu Deletion via CSRF
Published
2025-01-27
Title
Internal Link Builder <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-06-01
Title
Mobile Browser Color Select <= 1.0.1 - Stored Cross-Site Scripting via CSRF
Published
2023-09-04
Title
Realbig < 1.0.7 - Settings Update via CSRF