WordPress Plugin Vulnerabilities

Rank Math SEO < 1.0.119.1 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
seo-by-rank-math
Fixed in 1.0.119.1

References

CVE
CVE-2023-32600

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
ba2936fc-7098-4834-8985-4c00d6ebdbbe

Timeline

Publicly Published
2023-07-17 (about 2 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2022-06-06
Title
WordPress Security < 4.2.1 - Admin+ Stored Cross-Site Scripting
Published
2014-08-01
Title
coupon-code-plugin <= 2.1 - XSS in ZeroClipboard
Published
2022-09-08
Title
Culture Object < 4.1.1 - Admin+ Stored Cross-Site Scripting
Published
2022-05-23
Title
Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
Published
2025-05-07
Title
Meow Gallery < 5.2.8 - Authenticated (Author+) Stored Cross-Site Scripting