WordPress Plugin Vulnerabilities

Countdown and CountUp, WooCommerce Sales Timer < 1.8.3 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Affects Plugins

Plugin icon
countdown-wpdevart-extended
Fixed in 1.8.3

References

CVE
CVE-2023-47533
URL
https://patchstack.com/database/wordpress/plugin/countdown-wpdevart-extended/vulnerability/wordpress-countdown-and-countup-woocommerce-sales-timer-plugin-1-8-2-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
SeungYongLee
Verified
No
WPVDB ID
22307dab-3393-48ee-97ed-6cf697057574

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-12-18 (about 1 year ago)

Other

Published
Title
Published
2023-09-11
Title
JQuery Accordion Menu Widget for WordPress <= 3.1.2 - Contributor+ Stored XSS
Published
2023-10-23
Title
WP Font Awesome <= 1.7.9 - Contributor+ Stored Cross-Site Scripting via Shortcode
Published
2024-08-26
Title
Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid < 1.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2025-04-09
Title
HTML5 Video Player with Playlist <= 2.50 - Reflected Cross-Site Scripting
Published
2025-11-20
Title
Affiliate AI Lite < 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting