WordPress Plugin Vulnerabilities

Social Feed <= 1.5.4.6 - Author+ Stored XSS

Description

The plugin does not validate and escape some of its socialfeed shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the Author role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
add-facebook
No known fix

References

CVE
CVE-2023-5661

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
9fe0194b-7137-4941-ace5-5192c3717200

Timeline

Publicly Published
2023-11-06 (about 2 years ago)
Added
2023-11-16 (about 2 years ago)
Last Updated
2023-11-16 (about 2 years ago)

Other

Published
Title
Published
2025-01-24
Title
NOTICE BOARD BY TOWKIR <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-02-28
Title
Smart Slider 3 < 3.5.1.14 - Contributor+ Stored XSS
Published
2023-09-05
Title
Raise Mag <= 1.0.7 and Wishful Blog <= 2.0.1 - Reflected XSS
Published
2026-04-21
Title
Gallagher Website Design < 2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute
Published
2024-07-16
Title
WordPress File Upload < 4.24.8 - Reflected XSS