WordPress Plugin Vulnerabilities

Scroll post excerpt <= 8.0 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
scroll-post-excerpt
No known fix

References

CVE
CVE-2023-45764
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/scroll-post-excerpt/scroll-post-excerpt-80-authenticated-administrator-stored-cross-site-scripting
URL
https://patchstack.com/database/vulnerability/scroll-post-excerpt/wordpress-scroll-post-excerpt-plugin-8-0-cross-site-scripting-xss

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Rio Darmawan
Verified
No
WPVDB ID
1cfe1174-d05f-4801-ae79-f18ace6cd138

Timeline

Publicly Published
2023-10-12 (about 2 years ago)
Added
2023-10-26 (about 2 years ago)
Last Updated
2023-10-26 (about 2 years ago)

Other

Published
Title
Published
2024-04-24
Title
TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds < 1.5.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting
Published
2024-03-07
Title
Premium Addons PRO < 2.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Mouse Cursor Module
Published
2024-10-31
Title
WP EASY RECIPE <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-21
Title
Super Store Finder < 7.7 - Reflected Cross-Site Scripting
Published
2024-01-05
Title
Weaver Xtreme < 6.4 - Contributor+ Stored XSS