WordPress Plugin Vulnerabilities

Pinterest RSS Widget <= 2.3.1 - Contributor+ Stored Cross-Site Scripting via shortcode

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Affects Plugins

Plugin icon
pinterest-rss-widget
No known fix

References

CVE
CVE-2023-23877
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/pinterest-rss-widget/pinterest-rss-widget-231-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
Yes
WPVDB ID
cc6d87b4-ae12-425b-9c02-b346b6cf54aa

Timeline

Publicly Published
2023-05-11 (about 3 years ago)
Added
2023-08-09 (about 2 years ago)
Last Updated
2023-08-09 (about 2 years ago)

Other

Published
Title
Published
2015-08-25
Title
Olevmedia Shortcodes <= 1.1.8 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2022-06-27
Title
W-DALIL <= 2.0 - Admin+ Stored Cross-Site Scripting
Published
2024-10-22
Title
WP Shortcodes Plugin — Shortcodes Ultimate < 7.3.0 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Published
2025-07-14
Title
Companion Auto Update < 3.9.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via update_delay_days parameter
Published
2025-04-10
Title
wp secure <= 1.2 - Reflected Cross-Site Scripting