WordPress Plugin Vulnerabilities

Recently viewed and most viewed products <= 1.1.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

Description

The Recently viewed and most viewed products plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
recently-viewed-and-most-viewed-products
No known fix

References

CVE
CVE-2023-47646
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/61ec0e78-b367-438f-929d-94e055c83477

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
fabe411a-c256-47bf-9f80-2e79f1b75e0c

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2021-09-09
Title
YouTube Video Inserter <= 1.2.1.0 - Reflected Cross-Site Scripting
Published
2026-02-11
Title
Diamond <= 2.4.8 - Reflected Cross-Site Scripting
Published
2026-01-21
Title
WorkScout < 4.1.08 - Unauthenticated Stored Cross-Site Scripting
Published
2021-02-08
Title
Pricing Table by Supsystic < 1.9.0 - Authenticated Stored Cross-Site Scripting
Published
2018-10-26
Title
Elementor Pro < 2.0.10 - XSS