WordPress Plugin Vulnerabilities

WP Inventory Manager < 2.1.0.13 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

Proof of Concept

Affects Plugins

Plugin icon
wp-inventory-manager
Fixed in 2.1.0.13

References

CVE
CVE-2023-2123
URL
https://github.com/daniloalbuqrque/poc-cve-xss-encoded-wp-inventory-manager-plugin

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
daniloalbuqrque
Submitter
daniloalbuqrque
Submitter website
https://github.com/daniloalbuqrque
Verified
Yes
WPVDB ID
44448888-cd5d-482e-859e-123e442ce5c1

Timeline

Publicly Published
2023-04-26 (about 2 years ago)
Added
2023-04-26 (about 2 years ago)
Last Updated
2023-04-26 (about 2 years ago)

Other

Published
Title
Published
2025-06-27
Title
Add & Replace Affiliate Links for Amazon <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-03-29
Title
Genesis Blocks < 3.1.3 - Contributor+ Stored XSS
Published
2025-04-16
Title
Logo Carousel Slider <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-03
Title
Taskbuilder – WordPress Project & Task Management plugin < 3.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via wppm_tasks Shortcode
Published
2012-01-09
Title
Yousaytoo Auto Publishing <= 1.0 - Cross Site Scripting