WordPress Plugin Vulnerabilities

Blog Filter <= 1.4 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not adequately sanitize and escape the 'vivafbcomment' shortcode. This lack of proper input sanitization and output escaping allows authenticated users with contributor-level permissions or higher to inject arbitrary web scripts into pages. These scripts will execute whenever a user visits an injected page.

Affects Plugins

Plugin icon
facebook-comment-by-vivacity
No known fix

References

CVE
CVE-2023-5295
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/602b3b9c-76a7-4b0b-8aad-e554c2fd6910

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
f330f68b-8eb3-418a-9759-35dab34f85be

Timeline

Publicly Published
2023-09-29 (about 2 years ago)
Added
2023-10-01 (about 2 years ago)
Last Updated
2023-10-01 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
Dewplayer - dewplayer-vinyl.swf xml Parameter XML File H&ling XSS
Published
2011-11-20
Title
WP-Cumulus - Cross Site Scripting Vulnerabily
Published
2023-04-17
Title
Mega Addons For WPBakery Page Builder < 4.3.0 - Contributor+ Stored XSS
Published
2022-07-01
Title
Yellow Yard Searchbar < 2.8.12 - Reflected Cross-Site Scripting
Published
2022-04-18
Title
Slide Anything < 2.3.44 - Editor+ Stored Cross-Site Scripting