WordPress Plugin Vulnerabilities

Ecwid Shopping Cart < 6.11.5 - Contributor+ Stored Cross-Site Scriping

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

Affects Plugins

Plugin icon
ecwid-shopping-cart
Fixed in 6.11.5

References

CVE
CVE-2023-24408

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
a10ae3c6-b52c-425a-8409-ad82e89a335a

Timeline

Publicly Published
2023-03-17 (about 3 years ago)
Added
2023-05-08 (about 3 years ago)
Last Updated
2023-05-08 (about 3 years ago)

Other

Published
Title
Published
2024-04-16
Title
WP Club Manager < 2.2.12 - Authenticated (Player+) Stored Cross-Site Scripting
Published
2025-12-31
Title
Knowledge Base documentation & wiki plugin – BasePress < 2.17.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2018-12-10
Title
WooCommerce <= 3.4.5 - Authenticated Stored XSS
Published
2025-04-14
Title
Course Booking System < 6.1.3 - Reflected Cross-Site Scripting
Published
2025-12-11
Title
MailerLite – Signup forms (official) < 1.7.17 - Authenticated (Administrator+) Stored Cross-Site Scripting