Security Vulnerabilities - CVEs Published In February 2023
The Materialis Companion WordPress plugin before 1.3.40 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-02-06
The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-02-06
The WP-ShowHide WordPress plugin before 1.05 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.003
Published
2023-02-06
The Simple Tooltips WordPress plugin before 2.1.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVSS Score
5.4
EPSS Score
0.002
Published
2023-02-06
The YourChannel: Everything you want in a YouTube plugin WordPress plugin before 1.2.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-02-06
The Breadcrumb WordPress plugin before 1.5.33 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-02-06
The Clean Login WordPress plugin before 1.13.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
CVSS Score
5.4
EPSS Score
0.003
Published
2023-02-06
The EAN for WooCommerce WordPress plugin before 4.4.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
5.4
EPSS Score
0.003
Published
2023-02-06
The ResponsiveVoice Text To Speech WordPress plugin before 1.7.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-02-06
The WC Vendors Marketplace WordPress plugin before 2.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
5.4
EPSS Score
0.004
Published
2023-02-06