WordPress Plugin Vulnerabilities

Import Spreadsheets from Microsoft Excel < 10.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Import Spreadsheets from Microsoft Excel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 10.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
import-spreadsheets-from-microsoft-excel
Fixed in 10.1.4

References

CVE
CVE-2023-48289
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d337e39c-3a3d-4465-bc40-77f0b27aeab2

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Verified
No
WPVDB ID
37089ee2-f6cf-441a-876b-40b798499e59

Timeline

Publicly Published
2023-11-23 (about 5 months ago)
Added
2023-11-29 (about 5 months ago)
Last Updated
2024-01-22 (about 3 months ago)

Other

Published
Title
Published
2022-03-02
Title
MC4WP < 4.8.7 - Admin+ Stored Cross-Site Scripting
Published
2017-12-19
Title
Custom Map <= 1.1 - Authenticated Cross-Site Scripting (XSS)
Published
2022-09-06
Title
WP Socializer < 7.3 - Admin+ Stored Cross-Site Scripting
Published
2023-11-13
Title
AMP+ Plus <= 3.0 - Reflected Cross Site Scripting
Published
2024-03-28
Title
Slider by Supsystic < 1.8.11 - Authenticated (Administrator+) Stored Cross-Site Scripting