Pinyin Slugs < 2.3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2023-47511 | Plugin Vulnerabilities

Description

The Pinyin Slugs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

so-pinyin-slugs

Fixed in 2.3.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/65e76681-80e0-40aa-a68b-87cb0c42b4f8

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

yuyudhn

Verified

No

WPVDB ID

ef8f408c-fa76-43f7-950d-0382f08313ca

Timeline

Publicly Published

2023-11-07 (about 6 months ago)

Added

2023-11-23 (about 5 months ago)

Last Updated

2024-01-22 (about 3 months ago)

Other

Published

Title

Published

2023-09-19

Title

File Manager Pro < 1.8.1 - Admin+ Stored Cross-Site Scripting

Published

2023-08-28

Title

Ultimate Addons for Contact Form 7 < 3.2.1 - Reflected XSS

Published

2023-06-15

Title

CHP Ads Block Detector < 3.9.8 - Subscriber+ Stored Cross-Site Scripting

Published

2021-08-11

Title

Securimage-WP-Fixed <= 3.5.4 - Reflected Cross-Site Scripting (XSS)

Published

2022-03-10

Title

UpdraftPlus < 1.22.9 - Reflected Cross-Site Scripting