WordPress Plugin Vulnerabilities

Ibtana – WordPress Website Builder < 1.1.8.8 - Contributor+ Stored XSS via Shortcode

Description

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack

Proof of Concept

Affects Plugins

Plugin icon
ibtana-visual-editor
Fixed in 1.1.8.8

References

CVE
CVE-2022-4674

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
eda64678-81ae-4be3-941e-a1e26e54029b

Timeline

Publicly Published
2022-12-20 (about 3 years ago)
Added
2023-01-11 (about 2 years ago)
Last Updated
2023-01-11 (about 2 years ago)

Other

Published
Title
Published
2023-09-01
Title
HollerBox < 2.3.3 - Admin+ Stored XSS
Published
2022-05-03
Title
Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG
Published
2023-05-03
Title
Albo Pretorio Online < 4.6.4 - Reflected XSS
Published
2024-10-24
Title
Simple File List < 6.1.13 - Reflected Cross-Site Scripting
Published
2025-07-07
Title
Tennis Court Bookings <= 1.2.7 - Reflected Cross-Site Scripting