PowerPress < 10.0.2 – Contributor+ Stored Cross-Site Scripting | CVE 2023-1917

Affects Plugins

Fixed in 10.0.2

References

CVE

CVE-2023-1917

URL

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/powerpress/powerpress-100-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.4 (medium)

Miscellaneous

Original Researcher

Alex Thomas

Verified

No

WPVDB ID

fb6f3000-1045-4267-8fe1-dac1b097d1bd

Timeline

Publicly Published

2023-04-11 (about 3 years ago)

Added

2023-06-09 (about 2 years ago)

Last Updated

2023-06-09 (about 2 years ago)

Other

Published

Title

Published

2025-04-16

Title

Themify Shortcodes < 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-18

Title

Pure Chat – Live Chat & More! < 2.41 - Reflected Cross-Site Scripting via purechatWidgetName Parameter

Published

2024-05-01

Title

WP Video Lightbox < 1.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

Published

2021-06-28

Title

ProfilePress < 3.1.8 - Authenticated Stored XSS

Published

2023-04-19

Title

BizLibrary <= 1.1 - Admin+ Stored XSS