Vulnerability Description
The TJ Shortcodes WordPress plugin through 0.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Theme-Junkie | Tj Shortcodes | <= 0.1.3 |
Related Weaknesses (CWE)
References
- https://research.cleantalk.org/cve-2023-6530-tj-shortcodes-stored-xss-poc/ExploitThird Party Advisory
- https://wpscan.com/vulnerability/8e63bf7c-7827-4c4d-b0e3-66354b218bee/ExploitThird Party Advisory
- https://research.cleantalk.org/cve-2023-6530-tj-shortcodes-stored-xss-poc/ExploitThird Party Advisory
- https://wpscan.com/vulnerability/8e63bf7c-7827-4c4d-b0e3-66354b218bee/ExploitThird Party Advisory
FAQ
What is CVE-2023-6530?
CVE-2023-6530 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The TJ Shortcodes WordPress plugin through 0.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allo...
How severe is CVE-2023-6530?
CVE-2023-6530 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-6530?
Check the references section above for vendor advisories and patch information. Affected products include: Theme-Junkie Tj Shortcodes.