WordPress Plugin Vulnerabilities

WPCS – WordPress Currency Switcher Professional < 1.2.0 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize and escape user input in the wpcs_current_currency shortcode, leading to a Stored Cross-Site Scripting vulnerability.

Affects Plugins

Plugin icon
currency-switcher
Fixed in 1.2.0

References

CVE
CVE-2023-2558

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
e9be0eef-dc90-465b-9b2a-d4a9cf11eb62

Timeline

Publicly Published
2023-05-12 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2025-10-21
Title
SM CountDown Widget <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-04-11
Title
Adrotate < 5.8.23 - Admin+ XSS via Group Name
Published
2025-01-16
Title
Userbase Access Control <= 1.0 - Reflected Cross-Site Scripting
Published
2022-04-26
Title
Gwyn's Imagemap Selector <= 0.3.3 - Reflected Cross-Site Scripting
Published
2023-04-28
Title
Mass Email To users < 1.1.5 - Reflected XSS