WordPress Plugin Vulnerabilities

Simple Shortcodes <= 1.0.20 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sufficiently sanitize input or escape output on user-supplied attributes, resulting in a potential for Stored Cross-Site Scripting via shortcodes. This flaw makes it possible for users with contributor-level permissions or higher to inject arbitrary web scripts into pages.

Affects Plugins

Plugin icon
smpl-shortcodes
No known fix

References

CVE
CVE-2023-5566
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a153d6b2-e3fd-42db-90ba-d899a07d60c1

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
cc06c7e9-7de1-4237-aecd-de8274f30bf1

Timeline

Publicly Published
2023-10-29 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2026-02-24
Title
Rise Blocks – A Complete Gutenberg Page Builder <= 3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Identity Block Attributes
Published
2025-12-31
Title
Web and WooCommerce Addons for WPBakery Builder <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-10-24
Title
2kb Amazon Affiliates Store <= 2.1.5 - Reflected XSS
Published
2025-04-02
Title
Videos <= 1.0.5 - Reflected Cross-Site Scripting
Published
2023-03-29
Title
Social Proof (Testimonial) Slider < 2.2.4 - Admin+ Stored XSS