WordPress Plugin Vulnerabilities

Font Awesome More Icons <= 3.5 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize and escape the 'icon' shortcode, leading to a potential Stored Cross-Site Scripting vulnerability. As a result, users with contributor-level permissions and above can inject arbitrary web scripts into pages.

Affects Plugins

Plugin icon
font-awesome-more-icons
No known fix

References

CVE
CVE-2023-5232
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/15947764-a070-4715-bd44-cb79b62ed59d

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
c753b553-dc67-444a-857e-717d17398447

Timeline

Publicly Published
2023-09-27 (about 2 years ago)
Added
2023-09-28 (about 2 years ago)
Last Updated
2023-09-28 (about 2 years ago)

Other

Published
Title
Published
2023-06-19
Title
URL Shortify < 1.7.0 - Admin+ Cross Site Scripting
Published
2025-02-12
Title
Rank Math SEO < 1.0.236 - Contributor+ Stored XSS via Rank Math API
Published
2014-08-01
Title
buckets <= 0.1.9.2 - XSS in ZeroClipboard
Published
2016-07-19
Title
Woo Email Control <= 1.01 - Reflected Cross-Site Scripting (XSS) & CSRF
Published
2024-06-12
Title
Elementor Header & Footer Builder < 1.6.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Title Widget