WordPress Plugin Vulnerabilities

Bellows Accordion Menu < 1.4.3 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not adequately sanitize user-supplied attributes in shortcodes, nor does it correctly escape output. This can lead to injection of arbitrary web scripts in pages by authenticated users with contributor-level permissions.

Affects Plugins

Plugin icon
bellows-accordion-menu
Fixed in 1.4.3

References

CVE
CVE-2023-5164
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/50283a4f-ea59-488a-bab0-dd6bc5718556

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
81f43887-b22c-4c6e-9786-c46357acc225

Timeline

Publicly Published
2023-10-29 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2025-05-10
Title
Premmerce User Roles < 1.0.14 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-07-11
Title
SKT Skill Bar < 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-06-20
Title
Analytify < 4.2.1 - Reflected Cross-Site Scripting
Published
2016-07-19
Title
WooCommerce <= 2.6.2 - Authenticated Cross-Site Scripting (XSS)
Published
2023-11-20
Title
EmbedPress < 3.9.2 - Reflected XSS