WordPress Plugin Vulnerabilities

Spectra < 2.7.10 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
ultimate-addons-for-gutenberg
Fixed in 2.7.10

References

CVE
CVE-2023-49833
URL
https://patchstack.com/database/vulnerability/ultimate-addons-for-gutenberg/wordpress-spectra-plugin-2-7-9-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
101bbca0-ef3e-4a73-ab22-3e1872aa6389

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-11 (about 2 years ago)
Last Updated
2023-12-11 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
Geoportail Shortcode <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-12-24
Title
Store Locator WordPress < 1.4.9 - Contributor+ Stored XSS via Shortcode
Published
2025-04-14
Title
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates < 1.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'rael_title_tag'
Published
2022-09-23
Title
FontMeister <= 1.08 - Reflected Cross-Site Scripting
Published
2026-03-03
Title
Taskbuilder < 5.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Block Emails' Field