WordPress Plugin Vulnerabilities

Fattura24 < 6.2.8 - Reflected Cross-Site Scripting

Description

The plugin does not sanitize or escape the 'id' parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
fattura24
Fixed in 6.2.8

References

CVE
CVE-2023-5211

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Enrico Marcolini, Claudio Marchesini
Submitter
Enrico Marcolini, Claudio Marchesini
Submitter website
https://www.dottormarc.it
Submitter twitter
dottormarc
Verified
Yes
WPVDB ID
aa868380-cda7-4ec6-8a3f-d9fa692908f2

Timeline

Publicly Published
2023-10-09 (about 2 years ago)
Added
2023-10-09 (about 2 years ago)
Last Updated
2023-10-09 (about 2 years ago)

Other

Published
Title
Published
2021-10-19
Title
Advanced Access Manager < 6.8.0 - Admin+ Stored Cross-Site Scripting
Published
2025-06-18
Title
HYDRO <= 2.8 - Reflected Cross-Site Scripting
Published
2023-08-28
Title
Ultimate Addons for Contact Form 7 < 3.2.1 - Reflected XSS
Published
2024-04-05
Title
WPvivid Backup for MainWP < 0.9.34 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-08-14
Title
Shortcode Redirect < 1.0.03 - Authenticated (Contributor+) Stored Cross-Site Scripting