Stored Cross-Site Scripting in List Category Posts Plugin for WordPress
CVE-2023-6994
5.4MEDIUM
What is CVE-2023-6994?
The List Category Posts plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) via the 'catlist' shortcode across all versions up to and including 0.89.3. This vulnerability arises from inadequate input sanitization and output escaping of user-supplied attributes, enabling authenticated attackers with contributor-level permissions or higher to inject malicious web scripts into pages. When users access these compromised pages, the injected scripts are executed, posing significant security risks to users' sessions and data.
Affected Version(s)
List category posts * <= 0.89.3