About Me 3000 widget <= 2.2.6 – Administrator Stored Cross-Site Scripting | CVE 2023-3369 | Plugin Vulnerabilities

Description

The plugin does not sufficiently sanitize user inputs nor escape output in the admin settings, leading to a Stored Cross-Site Scripting vulnerability. This can result in the injection of arbitrary web scripts in pages that execute when a user accesses an injected page. The issue primarily affects multi-site installations and installations where unfiltered_html is disabled.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/be6f660f-041a-42f2-ab5b-72aedf75727d

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Marco Wotschka

Verified

No

WPVDB ID

3ab2b7e8-000d-490e-bb51-b45d6507b9a5

Timeline

Publicly Published

2023-06-22 (about 2 years ago)

Added

2023-07-12 (about 2 years ago)

Last Updated

2023-07-12 (about 2 years ago)

Other

Published

Title

Published

2024-08-04

Title

Cooked – Recipe Management < 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-03-01

Title

Calculated Fields Form Professional < 5.1.57 - Unauthenticated Stored Cross-Site Scripting

Published

2022-05-30

Title

Print, PDF, Email by PrintFriendly < 5.2.3 - Admin+ Stored Cross-Site Scripting

Published

2025-06-12

Title

Nasa Core < 6.4.4. - Reflected Cross-Site Scripting

Published

2025-12-04

Title

Sermon Manager <= 2.30.0 - Authenticated (Contributor+) Stored Cross-Site Scripting