WordPress Plugin Vulnerabilities

Owl Carousel <= 0.5.3 - Contributor+ Stored Cross-Site Scripting via shortcode

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins.

Affects Plugins

Plugin icon
owl-carousel
No known fix

References

CVE
CVE-2023-23829
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/owl-carousel/owl-carousel-053-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
Yes
WPVDB ID
527ea861-f588-45ab-a051-4e38cb2149aa

Timeline

Publicly Published
2023-05-11 (about 1 years ago)
Added
2023-08-09 (about 9 months ago)
Last Updated
2023-08-09 (about 9 months ago)

Other

Published
Title
Published
2014-08-01
Title
Broken Link Checker 1.9.1 - Sort Direction Query Argument H&ling XSS
Published
2015-08-03
Title
Builder Theme < 1.4.1 - PrettyPhoto DOM Cross-Site Scripting (XSS)
Published
2014-08-01
Title
WP Symposium < 11.12.08 - Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Finalist - vote.php id Parameter Reflected XSS
Published
2014-08-01
Title
Mingle Forum 1.0.33.3 - fs-admin.php togroupusers Parameter XSS