In the context of CVE-2023-5774, the vulnerability allows an attacker to embed a malicious script within a shortcode in a new post. The script is stored on the server and executed when other users, particularly those with Author or higher privileges, view the post. This could potentially lead to a full account takeover of the compromised user.
In the realm of WordPress, where plugins are integral to extending functionality, a critical vulnerability was recently unearthed. Labeled CVE-2023-5618, this vulnerability is associated with the Modern Footnotes plugin, which, in the hands of an attacker, enables the execution of Stored Cross-Site Scripting (XSS) attacks via embedded shortcodes.
During testing, a critical vulnerability was discovered in the plugin, namely a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission.
When it comes to managing and presenting your website’s authors, security should always be a top priority. The “Authors List” plugin, now at version 2.0.3, not only simplifies the process of displaying a list or grid of post authors (or any other user role) but also places a strong emphasis on security. In this article, we delve into the security enhancements of this plugin and highlight its prestigious “Plugin Security Certification” (PSC) awarded by CleanTalk.
While conducting a comprehensive evaluation of the User Private Files plugin, a significant security vulnerability was identified – “Insecure Direct Object References (IDOR).” This vulnerability allows malicious actors to access someone else’s folders, download files without consent, and potentially expose sensitive data. Even users who have never shared their files are at risk. Remarkably, this security flaw can be exploited by users with minimal privileges, such as “Subscribers,” provided that a page with the plugin’s shortcode exists on the website or by “Contributors” when creating a page with the plugin.
During a comprehensive assessment of the Memberlite Shortcodes plugin, a critical vulnerability was uncovered. This vulnerability enables threat actors to execute Stored Cross-Site Scripting (XSS) attacks by leveraging a shortcode within a new post. This security flaw has the potential to result in an account takeover, particularly when exploited by a contributor.
During the rigorous testing of the Photos and Files Contest Gallery – Contact Form plugin, a critical vulnerability was identified. This vulnerability allows unauthorized users to trigger a Stored Cross-Site Scripting (XSS) vulnerability, subsequently elevating their privileges to the administrator role. The root cause of this vulnerability lies in X-Forwarded-For Header Injection.