WordPress Plugin Vulnerabilities

WP MapIt < 3.0.0 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its wp_mapit shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wp-mapit
Fixed in 3.0.0

References

CVE
CVE-2023-5658
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7ef6f598-e1a7-4036-9485-1aad0416349a

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
1d66ea7e-0785-438e-bfd4-7c081064c0da

Timeline

Publicly Published
2023-11-06 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-12-21 (about 2 years ago)

Other

Published
Title
Published
2026-04-21
Title
Bread & Butter: Content Gating for Verified Leads <= 8.2.0.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2024-05-29
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.108 - Authenticated (Contributor+) Stored Cross-Site Scripting via Text Field
Published
2023-01-03
Title
Blockonomics < 3.5.8 - Reflected Cross-Site Scripting
Published
2026-04-28
Title
WP Meteor Website Speed Optimization Addon < 3.4.17 - Unauthenticated Stored Cross-Site Scripting via Comment
Published
2024-07-08
Title
Inline Related Posts < 3.8.0 - Admin+ Stored XSS