Leyka < 3.30.4 – Admin+ Stored XSS | CVE 2023-2995 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Note: The issue was reported to the vendor on May 30th, 2023 and unfortunately hot fixed in 3.30.3 rather than releasing a new version.

Proof of Concept

In the "My Data" section of the plugin settings, enter the payload `<svg/onload=alert('xss1')>` for either the "text of personal data usage Terms" or "text of Terms of donation service" settings . Set at least one payment method, load the campaign, and view the XSS.

Affects Plugins

Fixed in 3.30.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

An Dang

Submitter

An Dang

Verified

Yes

WPVDB ID

762ff2ca-5c1f-49ae-b83c-1c22bacbc82f

Timeline

Publicly Published

2023-08-23 (about 2 years ago)

Added

2023-08-23 (about 2 years ago)

Last Updated

2023-10-23 (about 2 years ago)

Other

Published

Title

Published

2025-10-11

Title

Togo < 1.0.4 - Reflected Cross-Site Scripting

Published

2022-09-27

Title

Forym <= 1.5.8 - Reflected Cross-Site Scripting

Published

2025-11-12

Title

WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-14

Title

JetElements For Elementor < 2.7.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-12-22

Title

WP Crowdfunding < 2.1.10 - Admin+ Stored XSS