JSON Content Importer < 1.5.4 – Reflected XSS | CVE 2023-6268 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open: https://example.com/wp-admin/admin.php?page=unique_jci_menu_slug&tab=%22%3E%3Cscript%3Ealert%28%2FXSS%2F%29%3B%3C%2Fscript%3E

Affects Plugins

json-content-importer

Fixed in 1.5.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

15b9ab48-c038-4f2e-b823-1e374baae985

Timeline

Publicly Published

2023-12-04 (about 2 years ago)

Added

2023-12-04 (about 2 years ago)

Last Updated

2023-12-04 (about 2 years ago)

Other

Published

Title

Published

2024-11-08

Title

WoW Guild Armory Roster <= 0.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-22

Title

Advanced Floating Content Lite < 1.2.6 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2024-10-03

Title

Display Medium Posts <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via display_medium_posts Shortcode

Published

2025-06-27

Title

Raise The Money <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-05-12

Title

WP Register Profile With Shortcode < 3.5.9 - Admin+ Stored XSS