WordPress Plugin Vulnerabilities

Featured Image from URL (FIFU) < 4.5.4 - Contributor+ Stored XSS

Description

The plugin does not sanitise and escape the featured image alt text, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
featured-image-from-url
Fixed in 4.5.4

References

CVE
CVE-2023-6561
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d4d5ae93-000e-4001-adfa-c11058032469

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
76d27708-274b-4610-8cae-8ab31def1009

Timeline

Publicly Published
2023-12-14 (about 2 years ago)
Added
2023-12-15 (about 2 years ago)
Last Updated
2023-12-15 (about 2 years ago)

Other

Published
Title
Published
2018-01-12
Title
Read and Understood <= 2.1 - Authenticated Stored XSS & CSRF
Published
2024-12-05
Title
News Kit Elementor Addons <= 1.4.2 - Contributor+ Stored XSS
Published
2023-11-29
Title
Forms by CaptainForm <= 2.5.3 - Reflected Cross-Site Scripting via REQUEST_URI
Published
2025-05-07
Title
Charitable < 1.8.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-09-27
Title
TM WooCommerce Compare & Wishlist <= 1.1.7 - Contributor+ Stored Cross-Site Scripting