WordPress Plugin Vulnerabilities

PixelYourSite < 9.3.7 and PixelYourSite Pro < 9.6.2 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not properly sanitize input and escape output in admin settings, leading to Stored Cross-Site Scripting vulnerabilities. This issue affects multi-site installations and installations with disabled unfiltered_html.

Affects Plugins

Plugin icon
pixelyoursite-pro
Fixed in 9.6.2
Plugin icon
pixelyoursite
Fixed in 9.3.7

References

CVE
CVE-2023-2584

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
f9685231-bca9-44da-9156-51978c5b582a

Timeline

Publicly Published
2023-05-16 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-09-11 (about 2 years ago)

Other

Published
Title
Published
2022-04-04
Title
LifterLMS PayPal < 1.4.0 - Reflected Cross-Site Scripting
Published
2024-06-22
Title
SULly < 4.3.1 - Admin+ Stored XSS
Published
2024-03-25
Title
Crypto Converter Widget < 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode
Published
2024-11-08
Title
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages < 1.7.7 - Reflected Cross-Site Scripting
Published
2024-11-16
Title
Simple Side Tab < 2.2.0 - Admin+ Stored XSS