WordPress Plugin Vulnerabilities

WP Links Page < 4.9.4 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wp-links-page
Fixed in 4.9.4

References

CVE
CVE-2023-22720

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
eb28d4e5-b8d2-4600-bf0d-dc012c25cfaa

Timeline

Publicly Published
2023-04-19 (about 2 years ago)
Added
2023-05-12 (about 2 years ago)
Last Updated
2023-05-12 (about 2 years ago)

Other

Published
Title
Published
2021-08-02
Title
Sitewide Notice WP < 2.3 - Admin+ Stored XSS
Published
2024-07-16
Title
Ultimate Addons for WPBakery Page Builder < 3.19.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-11-13
Title
Popup box < 3.8.6 - Admin+ Stored XSS in Categories
Published
2023-11-23
Title
Events Manager < 6.4.6 - Reflected Cross-Site Scripting
Published
2022-12-27
Title
Rate my Post – WP Rating System < 3.3.9 - Contributor+ Stored XSS via Shortcode