WordPress Plugin Vulnerabilities

Blog-in-Blog <= 1.1.1 - Editor+ Stored Cross-Site Scripting via Shortcode

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with an editor role or above to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Affects Plugins

Plugin icon
blog-in-blog
No known fix

References

CVE
CVE-2023-2436
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/blog-in-blog/blog-in-blog-111-authenticated-editor-stored-cross-site-scripting-via-shortcode

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
e3012a5a-ff6f-453e-8d17-75c9399a778d

Timeline

Publicly Published
2023-05-30 (about 2 years ago)
Added
2023-05-31 (about 2 years ago)
Last Updated
2026-01-29 (about 3 months ago)

Other

Published
Title
Published
2014-08-01
Title
Lazyest Gallery 0.10.4.3 - Multiple File/Directory Insecure Permissions Local Content Manipulation
Published
2024-10-14
Title
BuddyPress Better Registration <= 1.6 - Authentication Bypass to Administrator
Published
2019-09-02
Title
Event Tickets <= 4.10.7.1 - CSV Injection
Published
2015-12-10
Title
Link Log < 2.0 - HTTP Response Splitting
Published
2014-08-01
Title
Email Newsletter <= 8.0 - Information Disclosure