WordPress Plugin Vulnerabilities

BadgeOS <= 3.7.1.6 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
badgeos
No known fix

References

CVE
CVE-2023-2171

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
23062076-ba77-4b45-9d44-c819a3c4c1fb

Timeline

Publicly Published
2023-07-05 (about 2 years ago)
Added
2023-08-31 (about 2 years ago)
Last Updated
2023-08-31 (about 2 years ago)

Other

Published
Title
Published
2025-03-03
Title
Slider by 10Web < 1.2.62 - Admin+ Stored XSS via Widget
Published
2024-09-16
Title
AVIF & SVG Uploader <= 1.1.0 - Author+ Stored XSS via SVG Uplaod
Published
2023-12-27
Title
My Agile Privacy < 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode
Published
2024-06-21
Title
Social Media Widget < 4.0.9 - Admin+ Stored XSS
Published
2024-12-02
Title
Form Data Collector < 2.2.4 - Reflected Cross-Site Scripting