WordPress Plugin Vulnerabilities

Reusable Text Blocks <= 1.5.3 - Author+ Stored Cross-Site Scripting via Shortcode

Description

The plugin does not validate and escape some of its attributes for the text-blocks shortcode before outputting them back into the page, which could allow users with a role of Administrator or higher to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as a superadmin.

Affects Plugins

Plugin icon
reusable-text-blocks
No known fix

References

CVE
CVE-2023-5745
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/reusable-text-blocks/reusable-text-blocks-153-authenticated-author-stored-cross-site-scripting-via-shortcode

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
fb5fa4a6-6cc0-491c-be9c-d0938aa1991b

Timeline

Publicly Published
2023-10-23 (about 2 years ago)
Added
2023-10-25 (about 2 years ago)
Last Updated
2023-10-25 (about 2 years ago)

Other

Published
Title
Published
2024-07-03
Title
Elementor Addons by Livemesh < 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid
Published
2024-11-26
Title
Counter Up – Animated Number Counter & Milestone Showcase < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-07-19
Title
WP Brutal AI < 2.06 - Admin+ Stored XSS
Published
2024-05-24
Title
Alemha Watermarker <= 1.3.1 - Author+ Stored XSS
Published
2025-04-08
Title
Calculated Fields Form < 5.2.62 - Admin+ Stored XSS