WordPress Plugin Vulnerabilities

Site Reviews < 6.6.0 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
site-reviews
Fixed in 6.6.0

References

CVE
CVE-2023-27612

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
58ab74ae-f7df-4208-9aa2-7e91102ed352

Timeline

Publicly Published
2023-03-13 (about 3 years ago)
Added
2023-06-22 (about 2 years ago)
Last Updated
2023-06-22 (about 2 years ago)

Other

Published
Title
Published
2024-09-03
Title
Attributes for Blocks < 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via attributesForBlocks Parameter
Published
2024-04-05
Title
Salon booking system < 9.6.6 - Editor+ Stored XSS
Published
2024-09-25
Title
Secure Copy Content Protection and Content Locking < 4.2.4 - Reflected Cross-Site Scripting
Published
2014-11-26
Title
Google Analytics by Yoast <= 5.1.2 Cross-Site Scripting (XSS)
Published
2025-04-14
Title
OTP-less one tap Sign in < 2.0.59 - Reflected Cross-Site Scripting