WordPress Plugin Vulnerabilities

Waiting: One-click countdowns <= 0.6.2 - Subscriber+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, and is missing proper authorisation, which could allow any authenticated users, such as subscriber to perform Cross-Site Scripting attacks

Affects Plugins

Plugin icon
waiting
No known fix

References

CVE
CVE-2023-2757

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.4 (high)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
5a2c8576-9b1a-419a-b1ce-a12912b5f68a

Timeline

Publicly Published
2023-05-17 (about 2 years ago)
Added
2023-05-18 (about 2 years ago)
Last Updated
2023-05-18 (about 2 years ago)

Other

Published
Title
Published
2025-12-01
Title
WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) < 4.0.0 - Unauthenticated Stored Cross-Site Scripting via External Content Import
Published
2024-03-21
Title
Memberpress < 1.11.27 - Reflected Cross-Site Scripting via message and error
Published
2024-09-23
Title
ShiftController Employee Shift Scheduling < 4.9.65 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-02-05
Title
Post Timeline < 2.3.10 - Reflected XSS
Published
2014-06-12
Title
Ruven Toolkit <= 1.1 - tinymce/popup.php popup Parameter Reflected XSS