WordPress Plugin Vulnerabilities

Dynamically Register Sidebars <= 1.0.1 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
dynamically-register-sidebars
No known fix

References

CVE
CVE-2023-31091

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Pavitra Tiwari
Verified
No
WPVDB ID
cc751cea-c160-4a82-bd6a-cda69f75ba79

Timeline

Publicly Published
2023-04-24 (about 3 years ago)
Added
2023-08-18 (about 2 years ago)
Last Updated
2023-08-18 (about 2 years ago)

Other

Published
Title
Published
2026-03-20
Title
Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode
Published
2025-03-11
Title
GNUPress <= 0.2.9 - Reflected Cross-Site Scripting
Published
2015-05-15
Title
Anti-Malware & Brute-Force Security by ELI < 4.15.20 - Multiple Reflected XSS
Published
2022-12-27
Title
Login Logout Menu < 1.4.0 - Contributor+ Stored XSS in Shortcode
Published
2017-07-31
Title
Event List < 0.7.10 - XSS