Collapse-O-Matic <= 1.8.5.8 – Contributor+ Stored XSS | CVE 2023-40669 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a Contributor user create a new post and add a shortcode containing the following payload:
[expand elwraptag="img src=cx.jpg onmouseover=alert(1);"]test

Now, as an administrator, preview the post and it'll trigger the payload.

Affects Plugins

jquery-collapse-o-matic

No known fix

References

CVE

URL

https://patchstack.com/database/vulnerability/jquery-collapse-o-matic/wordpress-collapse-o-matic-plugin-1-8-3-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

Yes

WPVDB ID

f9e04f83-60f9-4883-81d9-8d00f3c312ca

Timeline

Publicly Published

2023-08-22 (about 2 years ago)

Added

2023-09-27 (about 2 years ago)

Last Updated

2024-05-29 (about 1 year ago)

Other

Published

Title

Published

2025-04-01

Title

AI Search Bar <= 2.1 - Unauthenticated Stored Cross-Site Scripting

Published

2020-06-03

Title

Careerfy < 3.9.0 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2024-09-23

Title

ARForms Builder < 1.7.1 - Unauthenticated Stored XSS

Published

2026-01-13

Title

JNews - Video <= 11.0.2 - Reflected Cross-Site Scripting

Published

2015-01-10

Title

Greg's High Performance SEO 1.6.1 - Reflected XSS