WordPress Plugin Vulnerabilities

GEO my WordPress < 4.0.1 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
geo-my-wp
Fixed in 4.0.1

References

CVE
CVE-2023-5467

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
2fb68104-88de-4aad-a418-f968888ad829

Timeline

Publicly Published
2023-10-09 (about 7 months ago)
Added
2023-10-10 (about 7 months ago)
Last Updated
2023-10-10 (about 7 months ago)

Other

Published
Title
Published
2023-06-23
Title
InventoryPress <= 1.7 - Author+ Stored XSS
Published
2014-08-01
Title
Blaze - Unspecified XSS
Published
2022-01-18
Title
ProfileGrid < 4.7.5 - Subscriber+ Stored Cross-Site Scripting
Published
2023-01-30
Title
EmbedSocial < 1.1.28 - Contributor+ Stored XSS
Published
2024-04-29
Title
Fancy Elementor Flipbox <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Elementor Flipbox Widget