WordPress Plugin Vulnerabilities

Post Snippets < 4.0.3 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape the snippet_content parameter, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
post-snippets
Fixed in 4.0.3

References

CVE
CVE-2023-25459

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
2671fe60-41b4-49cc-95d3-13805942c72a

Timeline

Publicly Published
2023-05-09 (about 3 years ago)
Added
2023-08-09 (about 2 years ago)
Last Updated
2023-08-09 (about 2 years ago)

Other

Published
Title
Published
2024-12-19
Title
Category Post Slider <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-12-14
Title
WooCommerce myghpay Payment Gateway <= 3.0 - Reflected Cross-Site Scripting
Published
2026-05-11
Title
Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Published
2021-08-09
Title
SpeakOut! Email Petitions < 2.13.3 - Reflected Cross-Site Scripting
Published
2025-04-18
Title
SB Chart block < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter