WordPress Plugin Vulnerabilities

Page Builder by AZEXO <= 1.27.133 - Contributor+ Stored Cross-Site Scripting via shortcode

Description

The plugin does not validate and escape the attributes of the azh_post shortcode before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Affects Plugins

Plugin icon
page-builder-by-azexo
No known fix

References

CVE
CVE-2023-3051
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/page-builder-by-azexo/page-builder-by-azexo-127133-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
dda83b1d-43e7-46db-8320-ee6efdf62f23

Timeline

Publicly Published
2023-06-02 (about 2 years ago)
Added
2023-06-03 (about 2 years ago)
Last Updated
2023-06-03 (about 2 years ago)

Other

Published
Title
Published
2024-05-07
Title
Beaver Builder – WordPress Page Builder < 2.8.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-01-16
Title
NoFollow Free <= 1.6.3 - Reflected Cross-Site Scripting
Published
2021-09-08
Title
Konnichiwa! Membership <= 0.8.3 - Reflected Cross-Site Scripting
Published
2025-03-24
Title
Custom Product Stickers for Woocommerce <= 1.9.0 - Reflected Cross-Site Scripting
Published
2025-11-18
Title
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers < 1.12.21 - Unauthenticated Stored Cross-Site Scripting