Live Gold Price & Silver Price Charts Widgets <= 2.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings | CVE 2023-47662 | Plugin Vulnerabilities

Description

The Live Gold Price & Silver Price Charts Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

gold-price-chart-widget

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c53ebf2f-44ab-4d0f-ac3d-c08806c07343

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Emili Castells

Verified

No

WPVDB ID

d1c10834-fae5-4178-865f-6c3be4a250f3

Timeline

Publicly Published

2023-11-07 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-03-16

Title

WooCommerce Google Feed Manager < 2.3.0 - Authenticated (Shop manager+) Stored Cross-Site Scripting

Published

2023-05-04

Title

Advanced Custom Fields < 6.1.6 - Reflected XSS

Published

2022-07-18

Title

Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting

Published

2025-01-18

Title

CarZine <= 1.4.6 - Reflected Cross-Site Scripting

Published

2025-06-10

Title

ZotPress < 7.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'nickname'