WordPress Plugin Vulnerabilities

BEAF < 4.7.1 - Admin+ Stored XSS via Widget Shortcode Field

Description

The plugin does not escape the value of the BEAF Slider widget's shortcode field before outputting it on the front end (the value is passed through do_shortcode, which echoes non-shortcode content verbatim), allowing users with administrator-level access to store a script that executes in the browser of any visitor who loads a page displaying the widget.

Proof of Concept

Affects Plugins

References

Classification

Type
XSS
CWE
CVSS

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Verified
Yes

Timeline

Publicly Published
2026-06-23 (about 22 days ago)
Added
2026-06-23 (about 21 days ago)
Last Updated
2026-06-23 (about 21 days ago)

Other