HTML filter and csv-file search < 2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | CVE 2023-5096 | Plugin Vulnerabilities

Description

The HTML filter and csv-file search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'csvsearch' shortcode in versions up to, and including, 2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

hk-filter-and-search

Fixed in 2.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/157eddd4-67f0-4a07-b3ab-11dbfb9f12aa

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alex Thomas

Verified

No

WPVDB ID

2eff7462-4160-4fb4-95cc-86c2460ce100

Timeline

Publicly Published

2023-10-30 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-09-12

Title

Avada | Website Builder For WordPress & eCommerce < 3.11.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode

Published

2023-12-21

Title

Photo Gallery by 10Web < 1.8.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Widget

Published

2024-04-15

Title

Shortcodes and extra features for Phlox theme < 2.15.6 - Contributor+ Stored XSS via Accordion Widget

Published

2022-01-10

Title

GTranslate < 2.9.7 - Reflected Cross-Site Scripting

Published

2025-12-31

Title

Valenti Engine <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting