VK Blocks < 1.64.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Block | CVE 2023-5706 | Plugin Vulnerabilities

Description

The VK Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk-blocks/ancestor-page-list' block in all versions up to, and including, 1.63.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 1.64.0.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/05dd7c96-7880-44a8-a06f-037bc627fd8d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

38058dcf-3c51-4f25-996d-daf16056a247

Timeline

Publicly Published

2023-10-24 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2020-07-27

Title

Real Estate 7 < 3.0.4 - Unauthenticated Reflected XSS

Published

2025-01-16

Title

Gigaom Sphinx <= 0.1 - Reflected Cross-Site Scripting

Published

2025-08-01

Title

Qi Addons for Elementor < 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via TypeOut Text Widget

Published

2024-05-06

Title

The Plus Addons for Elementor < 5.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-11-23

Title

ARForms Form Builder < 1.5.7 - Unauthenticated Stored XSS