Currency Converter Calculator < 1.3.2 – Contributor+ Stored XSS | CVE 2023-49149 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

currency-converter-calculator

Fixed in 1.3.2

References

CVE

URL

https://patchstack.com/database/vulnerability/currency-converter-calculator/wordpress-currency-converter-calculator-plugin-1-3-1-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ngô Thiên An (ancorn_)

Verified

No

WPVDB ID

c5d8c7b4-6bf7-4692-ac54-d432288e10de

Timeline

Publicly Published

2023-11-28 (about 2 years ago)

Added

2023-12-08 (about 2 years ago)

Last Updated

2024-03-11 (about 2 years ago)

Other

Published

Title

Published

2023-08-17

Title

Modal Dialog < 3.5.15 - Reflected XSS

Published

2025-05-16

Title

TNC FlipBook < 12.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-03

Title

Vayu Blocks <= 1.4.4 - Contributor+ Stored XSS

Published

2025-09-22

Title

Mail Subscribe List <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-03-17

Title

Surbma | GDPR Proof Cookie Consent & Notice Bar < 17.6.0 - Contributor+ Stored Cross-Site Scripting