Pretty Url < 1.5.5 – Admin+ Stored XSS | CVE 2023-2009

Description

Plugin does not sanitize and escape the URL field in the plugin settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

1. In the "Enter the URL: field, add the XSS payload `<img src=x onerror=alert(1)>` and save
2. Payload will be executed upon reload.

Affects Plugins

pretty-url

Fixed in 1.5.5

References

CVE

CVE-2023-2009

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

3.5 (low)

Miscellaneous

Original Researcher

Shezad Master

Submitter

Shezad Master

Verified

Yes

WPVDB ID

f7988a18-ba9d-4ead-82c8-30ea8223846f

Timeline

Publicly Published

2023-04-18 (about 2 years ago)

Added

2023-04-18 (about 2 years ago)

Last Updated

2025-06-30 (about 7 months ago)

Other

Published

Title

Published

2024-10-15

Title

CURCY < 2.2.4 - Reflected Cross-Site Scripting

Published

2026-01-27

Title

Appointment Hour Booking – Booking Calendar < 1.5.61 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Min/Max Length' Field Configuration

Published

2025-08-14

Title

Plugin README Parser <= 1.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via target Parameter

Published

2024-11-08

Title

Bread & Butter < 7.5.880 - Contributor+ Stored XSS

Published

2025-11-10

Title

Share to Google Classroom <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via share_to_google Shortcode