WordPress Plugin Vulnerabilities

CC Custom Taxonomy <= 1.0.1 - Admin+ Stored XSS

Description

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
cc-custom-taxonmy
No known fix

References

CVE
CVE-2023-25028

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Nithissh S
Verified
No
WPVDB ID
55bfc0d7-afd6-4e42-a9e0-b91f60bc1649

Timeline

Publicly Published
2023-02-06 (about 3 years ago)
Added
2023-05-24 (about 2 years ago)
Last Updated
2023-05-24 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Artiss Code Embed 2.0.1 - wp-admin/admin.php suffix Parameter XSS
Published
2026-01-13
Title
SearchWiz <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
Published
2026-03-06
Title
Consensus Embed <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute
Published
2025-04-01
Title
Leartes TRY Exchange Rates <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-28
Title
Landing Page Builder < 1.5.1.8 - Authenticated (Editor+) Stored Cross-Site Scripting