WordPress Plugin Vulnerabilities

Drop Shadow Boxes < 1.7.11 - Contributor+ Cross-Site Scripting

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
drop-shadow-boxes
Fixed in 1.7.11

References

CVE
CVE-2023-23833

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
b13fdb06-14ef-4b15-80c1-ed5fbe64ce69

Timeline

Publicly Published
2023-05-15 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2024-04-29
Title
Elementor ImageBox <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-05
Title
Smooth Accordion <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-16
Title
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX < 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-22
Title
Soledad < 8.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-23
Title
String Locator < 2.6.6 - Reflected Cross-Site Scripting