ActivityPub for WordPress < 1.0.0 – Contributor+ Stored XSS | CVE 2023-5057 | Plugin Vulnerabilities

Description

The plugin does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks

Proof of Concept

As a contributor, put the following payload in a post (the payload will have to be updated accordingly to watch the correct user and domain)

ahoy hoy @user@malicious-activitypub.site

The XSS will be trigged when viewing/previewing the post

Affects Plugins

Fixed in 1.0.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ben Bidner

Verified

Yes

WPVDB ID

58a63507-f0fd-46f1-a80c-6b1c41dddcf5

Timeline

Publicly Published

2023-09-25 (about 2 years ago)

Added

2023-09-25 (about 2 years ago)

Last Updated

2023-09-25 (about 2 years ago)

Other

Published

Title

Published

2024-05-07

Title

Form Maker by 10Web < 1.15.25 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-03-27

Title

Advanced Post Search <= 1.1.0 - Reflected Cross-Site Scripting

Published

2021-08-04

Title

WP Customize Login <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-09-24

Title

WP GPX Maps <= 1.7.08 - Authenticated (Contributor+) Stored Cross-Site Scripting via sgpx Shortcode

Published

2024-03-21

Title

Page Builder: Pagelayer – Drag and Drop website builder < 1.8.5 - Contributor+ Stored XSS