WordPress Plugin Vulnerabilities

ShortCodes UI <= 1.9.8 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
shortcodes-ui
No known fix

References

CVE
CVE-2023-47231

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
4fe687e0-dc62-4d0a-8b61-58d821fc0213

Timeline

Publicly Published
2023-11-03 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2025-04-03
Title
Wptobe-signinup <= 1.1.2 - Reflected Cross-Site Scripting
Published
2025-02-11
Title
FuseDesk < 6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-04-26
Title
Happy Addons for Elementor Free < 2.24.0 and Pro < 1.17.0 - Contributor+ Stored XSS
Published
2022-06-14
Title
WordPress Real Cookie Banner < 2.18.2 - Reflected Cross-Site Scripting
Published
2025-01-09
Title
Tracking Code Manager < 2.4.0 - Contributor+ Stored XSS