WordPress Plugin Vulnerabilities

WordPress Social Login <= 3.0.4 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its wordpress_social_login_meta shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wordpress-social-login
No known fix

References

CVE
CVE-2023-4773

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
4d9092fc-d94d-4725-9bd3-d38cc52386b4

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-09-07 (about 2 years ago)
Last Updated
2023-09-07 (about 2 years ago)

Other

Published
Title
Published
2025-03-03
Title
Master Addons < 2.0.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Published
2025-01-14
Title
WP Post Corrector <= 1.0.2 - Reflected Cross-Site Scripting
Published
2024-03-18
Title
WPB Show Core < 2.6 - Reflected XSS
Published
2025-03-18
Title
Product Puller <= 1.5.1 - Reflected Cross-Site Scripting
Published
2025-04-01
Title
BlockWheels <= 1.0.2 - Contributor+ Stored XSS