Stored Cross-Site Scripting Vulnerability in Simple Like Page Plugin for WordPress
CVE-2023-4888

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Simple Like Page Plugin
Vendor
CVE Published:
7 November 2023

Summary

The Simple Like Page Plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability through the 'sfp-page-plugin' shortcode. This issue arises from inadequate input sanitization and output escaping for user-supplied attributes, enabling authenticated attackers with contributor-level permissions or higher to inject malicious scripts. These injected scripts will execute whenever any user visits the affected page, potentially compromising user data and site integrity.

Affected Version(s)

Simple Like Page Plugin * <= 1.5.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/simple-faceboo...
https://plugins.trac.wordpress.org/browser/simple-faceboo...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.