WP Review Slider < 12.8 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2023-51685 | Plugin Vulnerabilities

Description

The WP Review Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 12.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

wp-facebook-reviews

Fixed in 12.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/62233370-3b54-4d89-93e7-07afdae4a413

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

emad

Verified

No

WPVDB ID

eb2fe2fa-5ec2-412a-a68b-c0aab0adc0eb

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-05 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2025-06-26

Title

Osom Blocks < 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter

Published

2024-11-08

Title

Wd-image-magnifier-xoss <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-03

Title

Status Updater <= 1.9.2 - Reflected Cross-Site Scripting

Published

2024-03-06

Title

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.1.5 - Unauthenticated Stored Self-Based Cross-Site Scripting

Published

2025-05-19

Title

MultiVendorX < 4.2.23 - Authenticated (Contributor+) Stored Cross-Site Scripting