WordPress Plugin Vulnerabilities

Insert or Embed Articulate Content into WordPress < 4.3000000023 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
insert-or-embed-articulate-content-into-wordpress
Fixed in 4.3000000023

References

CVE
CVE-2023-50824
URL
https://patchstack.com/database/vulnerability/insert-or-embed-articulate-content-into-wordpress/wordpress-insert-or-embed-articulate-content-into-wordpress-plugin-4-3000000021-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
2fa9e755-0508-453a-bcc5-282fc3398c0a

Timeline

Publicly Published
2023-12-19 (about 2 years ago)
Added
2023-12-23 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2022-12-27
Title
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box < 6.4.0 - Contributor+ Stored XSS
Published
2014-08-01
Title
SimpleDark 1.2.10 - 's' Parameter Cross Site Scripting
Published
2023-07-31
Title
MultiParcels Shipping For WooCommerce 1.15.2-1.15.3 - Reflected XSS
Published
2025-04-01
Title
WP Chrono <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-10-27
Title
Master Slider Pro <= 3.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting