WordPress Plugin Vulnerabilities

Side Cart Woocommerce (Ajax) < 2.3 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
side-cart-woocommerce
Fixed in 2.3

References

CVE
CVE-2023-28415

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Yuki Haruma
Verified
No
WPVDB ID
e945c2a1-4015-4958-954e-98a873dfd9b0

Timeline

Publicly Published
2023-06-28 (about 2 years ago)
Added
2023-08-31 (about 2 years ago)
Last Updated
2023-08-31 (about 2 years ago)

Other

Published
Title
Published
2023-12-05
Title
Smart External Link Click Monitor [Link Log] <= 5.0.2 - Reflected Cross-Site Scripting
Published
2025-02-17
Title
Post SMTP < 3.1.0 - Unauthenticated Stored XSS
Published
2014-08-01
Title
HK Exif Tags 1.11 - hk_exif_tags.php hk_exif_tags_images_process Function EXIF Tags H&ling Stored XSS
Published
2015-04-21
Title
WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2025-04-16
Title
Author WIP Progress Bar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting