WordPress Plugin Vulnerabilities

TaxoPress < 3.6.5 - Editor+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
simple-tags
Fixed in 3.6.5

References

CVE
CVE-2023-2168
CVE
CVE-2023-2169
CVE
CVE-2023-2170

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Ivan Kuzymchak
Verified
No
WPVDB ID
bcba8a87-4c9e-4b0e-a47e-f89da994d1c3

Timeline

Publicly Published
2023-04-18 (about 2 years ago)
Added
2023-04-19 (about 2 years ago)
Last Updated
2023-04-19 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Manage Calameo Publications 1.1.0 - thickbox_content.php attachment_id Parameter Reflected XSS
Published
2025-11-10
Title
Featured Image < 2.2 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2024-09-23
Title
Pixel Cat – Conversion Pixel Manager < 3.0.6 - Reflected Cross-Site Scripting
Published
2023-05-30
Title
Chilexpress Woo Oficial <= 1.2.9 - Reflected XSS
Published
2021-10-14
Title
HAL < 2.2 - Admin+ Stored Cross-Site Scripting