WordPress Plugin Vulnerabilities

FareHarbor < 3.6.8 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not adequately sanitize input or escape output on user-supplied attributes, leading to the possibility of Stored Cross-Site Scripting via shortcodes. This issue arises when authenticated users with contributor-level or higher permissions inject arbitrary web scripts into pages, which will then execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
fareharbor
Fixed in 3.6.8

References

CVE
CVE-2023-5252
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/42ad6fef-4280-45db-a3e2-6d7522751fa7

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
db8becb7-525f-4842-8f9f-b6c2fa0a6d80

Timeline

Publicly Published
2023-10-29 (about 2 years ago)
Added
2023-11-03 (about 2 years ago)
Last Updated
2023-11-03 (about 2 years ago)

Other

Published
Title
Published
2021-09-09
Title
Yet Another bol.com Plugin <= 1.4 - Reflected Cross-Site Scripting
Published
2017-06-20
Title
All-in-One WP Migration < 6.46 - Reflected Cross-Site Scripting (XSS)
Published
2025-07-17
Title
WooCommerce Shop Page Builder <= 2.27.7 - Reflected Cross-Site Scripting
Published
2025-07-07
Title
Media Folder <= 1.0.0 - Reflected Cross-Site Scripting
Published
2016-09-10
Title
MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS)