WordPress Plugin Vulnerabilities

Orbit Fox Companion < 2.10.27 - Contributor+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields due to insufficient input sanitization and output escaping on user supplied values, allowing authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
themeisle-companion
Fixed in 2.10.27

References

CVE
CVE-2023-6781
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/23e39019-c322-4027-84f2-faabd9ca4983

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Nex Team
Verified
No
WPVDB ID
e233f771-4d5b-48f5-a2ac-8de721b0534b

Timeline

Publicly Published
2024-01-05 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Events Calendar - wp-admin/admin.php EC_id Parameter XSS
Published
2016-09-02
Title
WP-Piwik <= 1.0.10 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2026-03-16
Title
Flexmls® IDX Plugin < 3.15.10 - Reflected Cross-Site Scripting
Published
2023-10-23
Title
Delete Me < 3.1 - Contributor+ Stored Cross-Site Scripting via Shortcode
Published
2023-06-08
Title
Kanban Boards for WordPress < 2.5.21 - Admin+ Stored XSS