WordPress Plugin Vulnerabilities

User Submitted Posts < 20230811 - Unauthenticated Stored XSS

Description

The plugin does not sanitize and escape the user-submitted-content parameter, which could allow unauthenticated users to perform Stored XSS attacks

Affects Plugins

Plugin icon
user-submitted-posts
Fixed in 20230811

References

CVE
CVE-2023-4308

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
NGÔ THIÊN AN
Verified
No
WPVDB ID
d5b95156-eda4-4bd4-bd56-81672f345700

Timeline

Publicly Published
2023-08-14 (about 2 years ago)
Added
2023-08-16 (about 2 years ago)
Last Updated
2023-08-16 (about 2 years ago)

Other

Published
Title
Published
2024-03-25
Title
WP Google Maps < 9.0.30 - Reflected Cross-Site Scripting
Published
2025-06-02
Title
Profile Builder < 3.13.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via user_meta and compare Shortcodes
Published
2021-12-21
Title
Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes
Published
2024-04-18
Title
ElementsKit Pro < 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ekit_btn_id'
Published
2017-11-08
Title
Simple Membership < 3.5.7 - XSS