WordPress Plugin Vulnerabilities

Advanced Social Pixel <= 2.1.1 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
ns-facebook-pixel-for-wp
No known fix

References

CVE
CVE-2023-24381

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
05a63d24-fe2c-4315-b8e4-db2f4a318b1c

Timeline

Publicly Published
2023-01-21 (about 3 years ago)
Added
2023-03-20 (about 3 years ago)
Last Updated
2023-03-20 (about 3 years ago)

Other

Published
Title
Published
2023-05-29
Title
Telegram Bot & Channel < 3.6.3 - Admin+ Stored XSS
Published
2024-07-10
Title
Fusion < 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-07-17
Title
Knowledge Base < 2.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Slug
Published
2023-03-22
Title
WP VR < 8.2.9 - Reflected XSS
Published
2026-01-16
Title
Integrate Dynamics 365 CRM < 1.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration