WordPress Plugin Vulnerabilities

Weaver Show Posts < 1.7 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not properly escape the profile display name, leading to stored Cross-Site Scripting vulnerabilities.

Affects Plugins

Plugin icon
show-posts
Fixed in 1.7

References

CVE
CVE-2023-1404
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/show-posts/weaver-show-posts-16-authenticatedcontributor-stored-cross-site-scripting-via-display-name

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
23838071-a9dc-4628-b5f3-9e90f10beb5b

Timeline

Publicly Published
2023-04-01 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2023-01-20
Title
WP Flipclock < 1.8 - Contributor+ Stored XSS
Published
2024-06-06
Title
WP Visitors Tracker < 2.4 - Reflected Cross-Site Scripting
Published
2025-02-02
Title
Callback Request <= 1.4 - Reflected Cross-Site Scripting
Published
2025-04-04
Title
News Kit Elementor Addons <= 1.4.2 - Contributor+ Stored XSS
Published
2025-01-16
Title
Ultimate Events <= 1.3.3 - Reflected Cross-Site Scripting