WordPress Plugin Vulnerabilities

Colibri Page Builder < 1.0.248 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
colibri-page-builder
Fixed in 1.0.248

References

CVE
CVE-2023-50833
URL
https://patchstack.com/database/vulnerability/colibri-page-builder/wordpress-colibri-page-builder-plugin-1-0-239-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
40c4a3bb-1291-45da-a8dd-8694ae58d235

Timeline

Publicly Published
2023-12-19 (about 2 years ago)
Added
2023-12-26 (about 2 years ago)
Last Updated
2024-01-10 (about 2 years ago)

Other

Published
Title
Published
2025-09-10
Title
Enhanced BibliPlug <= 1.3.8 - Authenticated (Contirbutor+) Stored Cross-Site Scripting
Published
2024-04-12
Title
Remove Footer Credit < 1.0.14 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-02-12
Title
DethemeKit For Elementor < 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via De Gallery Widget
Published
2025-06-05
Title
RTMKit Addons for Elementor < 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2020-08-31
Title
WP Floating Menu < 1.4.1 - Authenticated Reflected Cross-Site Scripting