W4 Post List < 2.4.6 – Reflected XSS | CVE 2023-1373 | Plugin Vulnerabilities

Description

The plugin does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting

Proof of Concept

Make a logged in admin open https://example.com/wp-admin/edit.php?post_type=w4pl&page=w4pl-docs&a"><script>alert(/XSS/)</script>

On a page where there is a list with navigation displayed (put a [nav] in the template of the list) output, append the following payload: a"><script>alert(/XSS/)</script>, example: https://example.com/list/w4-post-list-1/?a"><script>alert(/XSS/)</script>

Affects Plugins

Fixed in 2.4.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

fa38f3e6-e04c-467c-969b-0f6736087589

Timeline

Publicly Published

2023-03-22 (about 2 years ago)

Added

2023-03-22 (about 2 years ago)

Last Updated

2023-03-22 (about 2 years ago)

Other

Published

Title

Published

2025-01-16

Title

WP-NOTCAPTCHA <= 1.3.1 - Reflected Cross-Site Scripting

Published

2024-08-05

Title

Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager < 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload

Published

2015-08-26

Title

Smart Slider 2 <= 2.3.11 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2018-07-16

Title

Anycomment < 0.0.33 - XSS

Published

2025-09-22

Title

BuddyPress Notification Widget <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting