Simply Excerpts <= 1.4 – Admin+ Stored XSS | CVE 2023-5137

Description

The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

Proof of Concept

Put the following payload in the "Read more text" setting of the plugin and save: 1"><img src=1 onerror=alert(/xss/)>

Affects Plugins

simply-excerpts

No known fix

References

CVE

CVE-2023-5137

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.4 (low)

Miscellaneous

Original Researcher

niclo

Submitter

niclo

Verified

Yes

WPVDB ID

79b79e9c-ea4f-4188-a1b5-61dda0b5d434

Timeline

Publicly Published

2023-11-13 (about 2 years ago)

Added

2023-11-13 (about 2 years ago)

Last Updated

2023-11-13 (about 2 years ago)

Other

Published

Title

Published

2020-01-15

Title

LearnDash < 3.1.2 - Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.

Published

2023-11-29

Title

BP Better Messages < 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Published

2024-06-18

Title

Ultimate Blocks – WordPress Blocks Plugin < 3.1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox

Published

2025-05-02

Title

Category Widget <= 2.0.2 - Reflected Cross-Site Scripting

Published

2025-01-24

Title

WordPress SEO Friendly Accordion FAQ with AI assisted content generation <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting