WordPress Plugin Vulnerabilities

Simple Like Page Plugin < 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The Simple Like Page Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sfp-page-plugin' shortcode in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
simple-facebook-plugin
Fixed in 1.5.2

References

CVE
CVE-2023-4888
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f81df26f-4390-4626-8539-367a52f8a027

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
b73939a6-d16e-4552-8df6-cf3a80ccab8b

Timeline

Publicly Published
2023-11-06 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-05-16
Title
Booking Calendar < 10.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpbc Shortcode
Published
2018-01-12
Title
Dark Mode <= 1.6 - Stored XSS
Published
2022-10-24
Title
Traffic Manager <= 1.4.5 - Subscriber+ Stored Cross-Site Scripting
Published
2024-12-17
Title
Twitter Bootstrap Collapse aka Accordian Shortcode <= 1.0 - Stored XSS via Shortcode
Published
2017-12-05
Title
WP Mailster <= 1.5.4 - Unauthenticated Cross-Site Scripting (XSS)