WordPress Plugin Vulnerabilities

WooDiscuz – WooCommerce Comments < 2.3.0 - Admin+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
woodiscuz-woocommerce-comments
No known fix

References

CVE
CVE-2023-33216
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woodiscuz-woocommerce-comments/woodiscuz-woocommerce-comments-229-authenticated-administrator-stored-cross-site-scripting
URL
https://patchstack.com/database/vulnerability/woodiscuz-woocommerce-comments/wordpress-woodiscuz-woocommerce-comments-plugin-2-2-9-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
7ebc6e25-9b98-4371-a856-0cf346e017c0

Timeline

Publicly Published
2023-05-19 (about 2 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2022-10-12
Title
Accessibility < 1.0.4 - Admin+ Stored XSS
Published
2022-05-23
Title
Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
Published
2024-09-05
Title
Content Blocks (Custom Post Widget) < 3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-01-12
Title
Login with Phone Number < 1.4.2 - Reflected Cross-Site Scripting
Published
2025-10-05
Title
TempTool [Show Current Template Info] <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting