WordPress Plugin Vulnerabilities

TWB Woocommerce Reviews < 1.7.6 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
twb-woocommerce-reviews
Fixed in 1.7.6

References

CVE
CVE-2023-47653
URL
https://patchstack.com/database/vulnerability/twb-woocommerce-reviews/wordpress-twb-woocommerce-reviews-plugin-1-7-5-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
bf4e61e8-1c4d-4f38-937d-c5310bdf6851

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-03-20 (about 2 years ago)

Other

Published
Title
Published
2024-09-01
Title
Polls CP <= 1.0.75 - Admin+ Stored XSS via Custom Styles
Published
2025-02-24
Title
WP About Author < 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-26
Title
Email Subscribers & Newsletters < 5.7.12 - Reflected Cross-Site Scripting via campaign_id
Published
2023-10-02
Title
Locations <= 4.0 - Contributor+ Stored XSS
Published
2014-08-01
Title
GD Star Rating 1.9.7 - Cross-Site Scripting (XSS)