WordPress Plugin Vulnerabilities

EmbedPress < 3.8.3 - Contributor+ Stored Cross-Site Scripting via Shortcode

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Affects Plugins

Plugin icon
embedpress
Fixed in 3.8.3

References

CVE
CVE-2023-4283
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/embedpress/embedpress-382-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
25d0d190-0748-4518-ad83-ba6a0f9d1319

Timeline

Publicly Published
2023-08-09 (about 2 years ago)
Added
2023-08-10 (about 2 years ago)
Last Updated
2023-08-10 (about 2 years ago)

Other

Published
Title
Published
2012-05-15
Title
Survey And Quiz Tool <= 2.9.2 - Cross Site Scripting
Published
2022-03-14
Title
KingComposer <= 2.9.6 - Subscriber+ Stored Cross-Site Scripting
Published
2025-01-07
Title
News Ticker Widget for Elementor < 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-13
Title
Tabs Maker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-22
Title
Nioland < 1.2.7 - Reflected Cross-Site Scripting via s