Stored Cross-Site Scripting Flaw in Horizontal Scrolling Announcement for WordPress
CVE-2023-5001

5.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Horizontal scrolling announcement
Vendor
CVE Published:
16 September 2023

Summary

The Horizontal Scrolling Announcement plugin for WordPress is susceptible to Stored Cross-Site Scripting vulnerabilities due to improper input sanitization and output escaping of user-supplied attributes within the 'horizontal-scrolling' shortcode. This flaw allows authenticated attackers with contributor-level or higher permissions to insert arbitrary scripts into pages, potentially compromising the security of users who access those pages.

Affected Version(s)

Horizontal scrolling announcement * <= 9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/horizontal-scr...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.