WordPress Plugin Vulnerabilities

Voting Record <= 2.0 - Subscriber+ Stored XSS

Description

The plugin is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks

Proof of Concept

Affects Plugins

Plugin icon
voting-record
No known fix

References

CVE
CVE-2023-7084
URL
https://magos-securitas.com/txt/CVE-2023-7084.txt

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
Daniel Ruf
Submitter
Daniel Ruf
Submitter website
https://magos-securitas.com
Verified
Yes
WPVDB ID
5e51e239-919b-4e74-a7ee-195f3817f907

Timeline

Publicly Published
2024-01-10 (about 1 year ago)
Added
2024-01-10 (about 1 year ago)
Last Updated
2024-01-10 (about 1 year ago)

Other

Published
Title
Published
2024-12-13
Title
Companion Portfolio – Responsive Portfolio Plugin <= 2.4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-11-06
Title
LearnPress < 4.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-11-29
Title
Social Share Buttons & Analytics Plugin < 4.4 - Admin+ Stored XSS
Published
2025-06-18
Title
Echo RSS Feed Post Generator < 5.4.9 - Reflected Cross-Site Scripting
Published
2019-09-28
Title
Visualizer < 3.3.1 - Stored Cross-Site Scripting (XSS)