WordPress Plugin Vulnerabilities

Sp*tify Play Button for WordPress < 2.08 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
spotify-play-button-for-wordpress
Fixed in 2.08

References

CVE
CVE-2023-1840

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.8 (low)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
7db69191-dd51-4dab-a8aa-ab897a15ee69

Timeline

Publicly Published
2023-04-04 (about 1 years ago)
Added
2023-04-05 (about 1 years ago)
Last Updated
2023-04-05 (about 1 years ago)

Other

Published
Title
Published
2021-03-01
Title
WP GDPR Compliance < 1.5.6 - Unauthenticated Stored Cross-Site Scripting (XSS)
Published
2023-06-26
Title
ApplyOnline < 2.5.6 - Admin+ Stored XSS
Published
2009-07-29
Title
Google Analyticator < 5.2.1 - XSS
Published
2024-05-03
Title
Sheets To WP Table Live Sync < 3.7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-02-13
Title
Enhanced Text Widget < 1.6.6 - Admin+ Stored XSS