WordPress Plugin Vulnerabilities

Booster for WooCommerce < 7.1.1 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
woocommerce-jetpack
Fixed in 7.1.1

References

CVE
CVE-2023-4945

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
aa666364-1d19-4871-8fb8-0ab4e2b8540e

Timeline

Publicly Published
2023-09-13 (about 2 years ago)
Added
2023-09-14 (about 2 years ago)
Last Updated
2023-09-14 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
Rig Elements For Elementor <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-10
Title
GB Gallery Slideshow <= 1.3 - Reflected Cross-Site Scripting
Published
2025-07-07
Title
Dot html,php,xml etc pages <= 1.0 - Reflected Cross-Site Scripting
Published
2025-03-24
Title
IG Shortcodes <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
wp_amaps <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting