WordPress Plugin Vulnerabilities
BEAF < 4.7.1 - Admin+ Stored XSS via Widget Shortcode Field
Description
The plugin does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-23 (about 22 days ago)
Added
2026-06-23 (about 21 days ago)
Last Updated
2026-06-23 (about 21 days ago)