WordPress Plugin Vulnerabilities

Google Analytics by Monster Insights < 8.14.1 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
google-analytics-for-wordpress
Fixed in 8.14.1

References

CVE
CVE-2023-23999

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
28005da9-a1eb-42c1-bd2f-648c78394962

Timeline

Publicly Published
2023-05-10 (about 2 years ago)
Added
2023-05-18 (about 2 years ago)
Last Updated
2024-01-26 (about 2 years ago)

Other

Published
Title
Published
2023-02-22
Title
Custom Content Shortcode <= 4.0.2 - Contributor+ Stored XSS
Published
2025-04-01
Title
DobsonDev Shortcodes <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-11
Title
Currency Converter Widget ⚡ PRO < 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-01-03
Title
CformsII < 15.0.7 - Admin+ Stored XSS
Published
2025-09-26
Title
Ditty < 3.1.59 - Contributor+ Stored XSS