WordPress Plugin Vulnerabilities

WP EasyPay < 4.1 - Reflected Cross-Site Scripting

Description

The plugin does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin

Proof of Concept

Affects Plugins

Plugin icon
wp-easy-pay
Fixed in 4.1

References

CVE
CVE-2023-1465

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
Pablo Sanchez
Submitter
Pablo Sanchez
Verified
Yes
WPVDB ID
13f59eb4-0744-4fdb-94b5-886ee6bdd867

Timeline

Publicly Published
2023-05-01 (about 2 years ago)
Added
2023-04-28 (about 2 years ago)
Last Updated
2023-04-28 (about 2 years ago)

Other

Published
Title
Published
2021-04-13
Title
PowerPack Addons for Elementor < 2.3.2 - Contributor+ Stored XSS
Published
2025-02-19
Title
Elementor Website Builder < 3.27.5 - Contributor+ Stored XSS
Published
2021-06-15
Title
RSS for Yandex Turbo < 1.31 - Admin+ Stored Cross-Site Scripting
Published
2025-09-10
Title
WP Easy FAQs <= 1.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode
Published
2025-05-23
Title
4stats <= 2.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting