Payment Forms for Paystack < 4.0.0 – Contributor+ Stored XSS | CVE 2023-5665 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

payment-forms-for-paystack

Fixed in 4.0.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/98f80608-f24f-4019-a757-de71cba9902f

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

5c93ba81-c97c-4a91-a393-426ec2aa8d89

Timeline

Publicly Published

2024-02-07 (about 2 years ago)

Added

2024-02-07 (about 2 years ago)

Last Updated

2024-10-21 (about 1 year ago)

Other

Published

Title

Published

2023-01-27

Title

Namaste! LMS < 2.5.9.2 - Admin+ Stored XSS

Published

2024-06-05

Title

Rotating Tweets (Twitter widget and shortcode) <= 1.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2025-07-26

Title

Ebook Store < 5.8015 - Reflected XSS via $_SERVER['REQUEST_URI']

Published

2024-04-18

Title

Media Library Folders < 8.2.1 - Reflected Cross-Site Scripting via 's'

Published

2022-01-17

Title

Magee Shortcodes < 2.0.9 - Reflected Cross-Site Scripting