Stored Cross-Site Scripting Vulnerability in WP Mailto Links Plugin for WordPress
CVE-2023-5109

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Mailto Links – Protect Email Addresses
Vendor: CVE Published:; 20 October 2023

Summary

The WP Mailto Links plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate validation of user inputs in the 'wpml_mailto' shortcode. This vulnerability allows authenticated attackers with contributor-level access or higher to introduce and execute arbitrary scripts in web pages viewed by users. The issue has been addressed partially in version 3.1.3 and completely resolved in version 3.1.4, reinforcing the importance of timely updates to protect against potential exploitation.

Affected Version(s)

WP Mailto Links – Protect Email Addresses * <= 3.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-mailto-link...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 20, 2023
Vulnerability Reserved
Sep 21, 2023

Credit

Lana Codes