WordPress Plugin Vulnerabilities

Subscribers - Free Web Push Notifications < 1.5.4 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
subscribers-com
Fixed in 1.5.4

References

CVE
CVE-2023-22684

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
27416134-6e22-4ff4-ad49-9b66befdd290

Timeline

Publicly Published
2023-04-19 (about 3 years ago)
Added
2023-05-15 (about 2 years ago)
Last Updated
2023-08-10 (about 2 years ago)

Other

Published
Title
Published
2024-05-03
Title
Sheets To WP Table Live Sync < 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2026-03-01
Title
Astra Bulk Edit < 1.2.11 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-27
Title
Simple Basic Contact Form < 20250114 - Admin+ Stored XSS
Published
2025-09-05
Title
Comment Form WP <= 2.0.1 - Admin+ Stored XSS
Published
2026-05-04
Title
Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter