WordPress Vulnerabilities

WP 6.3-6.3.1 - Contributor+ Stored XSS via Footnotes Block

Description

WordPress does not escape some of its Footnotes block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects WordPress

6.3.1
Fixed in WordPress 6.3.2
6.3
Fixed in WordPress 6.3.2

References

URL
https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Jorge Costa
Verified
No
WPVDB ID
63270b61-dddd-4cc0-a091-a04cb4f682ec

Timeline

Publicly Published
2023-10-12 (about 6 months ago)
Added
2023-10-13 (about 6 months ago)
Last Updated
2023-10-13 (about 6 months ago)

Other

Published
Title
Published
2023-01-23
Title
WP Popups < 2.1.4.9 - Contributor+ Stored XSS
Published
2016-09-30
Title
Appointment Calendar - Stored Cross-Site Scripting (XSS)
Published
2014-08-01
Title
Booking System - Reflected Cross-Site Scripting (XSS)
Published
2014-08-01
Title
ZeenShare plugin < 1.0.1 - Cross-Site Scripting (XSS)
Published
2021-07-07
Title
WP Upload Restriction <= 2.2.3 - Authenticated Stored XSS