WordPress Plugin Vulnerabilities

Multiple plugins by vcita - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and the email field in the plugin settings, which could allow users with roles as low as contributor to inject arbitrary web scripts in the plugin settings page, which could target high privilege users such as administrators.

Proof of Concept

Affects Plugins

Plugin icon
event-registration-calendar-by-vcita
Fixed in 1.4.0
Plugin icon
paypal-payment-button-by-vcita
Fixed in 3.10.0

References

CVE
CVE-2023-2406
URL
https://blog.jonh.eu/blog/security-vulnerabilities-in-wordpress-plugins-by-vcita
URL
https://plugins.trac.wordpress.org/browser/event-registration-calendar-by-vcita/trunk/system/parse_vcita_callback.php#L55
URL
https://plugins.trac.wordpress.org/browser/paypal-payment-button-by-vcita/trunk/system/parse_vcita_callback.php#L55

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
af2c461c-d8ce-48e1-b802-092b5f56cfba

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-04 (about 2 years ago)
Last Updated
2023-06-12 (about 2 years ago)

Other

Published
Title
Published
2026-02-18
Title
Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
Published
2022-12-16
Title
Vision Interactive For WordPress < 1.5.4 - Contributor+ Stored XSS
Published
2025-09-05
Title
ARI Fancy Lightbox < 1.4.1 - Contributor+ Stored XSS
Published
2024-06-06
Title
12 Step Meeting List < 3.14.34 - Reflected Cross-Site Scripting
Published
2024-04-01
Title
Metform Elementor Contact Form Builder < 3.8.6 - Contributor+ Stored XSS