During the evaluation of the Magee Shortcodes plugin, security researchers identified a critical vulnerability enabling Stored Cross-Site Scripting (XSS) attacks. This vulnerability permits malicious actors to execute arbitrary JavaScript code within the context of a victim’s browser when interacting with a compromised post containing specially crafted shortcodes.

Main info:

PluginMagee Shortcodes <= 2.1.1
All Time383 035
Active installations9 000+
Publicly PublishedSeptember 21, 2023
Last UpdatedSeptember 21, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4783
Plugin Security Certification by CleanTalk


September 4, 2023Plugin testing and vulnerability detection in the Magee Shortcodes have been completed
September 4, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 12, 2023The plugin has closed
September 21, 2023Registered CVE-2023-4783

Discovery of the Vulnerability

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover

Understanding of Stored XSS attack’s

Stored XSS vulnerabilities occur when user-supplied data is stored on a website’s server and later displayed to other users without proper sanitization. In the case of WordPress, plugins often process user input to generate dynamic content such as posts or comments. Attackers can exploit this functionality by injecting malicious JavaScript code into posts or comments, which is then executed when other users view the affected content.

For example, in the Magee Shortcodes plugin, the vulnerable [ms_alert] shortcode allows contributors to embed custom alert messages in posts. By injecting JavaScript code into the shortcode attributes, an attacker can trigger arbitrary actions when unsuspecting users view the compromised content.

Exploiting the Stored XSS Vulnerability


[ms_alert icon=”fa-exclamation-circle” background_color=”#ffcc00″ text_color=”#ffffff” border_width=”0″ border_radius=”0″ box_shadow=”no” dismissable=”yes” class=”” id='” onmouseover=”alert(/XSS/)”‘]Warning! Better check yourself, you’re not looking too good.[/ms_alert]


The impact of this vulnerability is severe, as it allows attackers to compromise the integrity and security of WordPress websites. In real-world scenarios, an attacker could exploit this vulnerability to steal sensitive user data, spread malware, deface websites, or perform other malicious actions.

Recommendations for Improved Security

To mitigate the risk posed by Stored XSS vulnerabilities, developers should implement proper input validation and output sanitization techniques in their plugins. WordPress administrators should also keep their plugins up to date and monitor for security advisories from plugin developers (In this case, it is recommended to remove the plugin due to the danger of vulnerability). Additionally, users should exercise caution when interacting with user-generated content on websites and install security plugins that offer protection against XSS attacks.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2023-4783 – Magee Shortcodes – Stored XSS via shortcode – POC

Leave a Reply

Your email address will not be published. Required fields are marked *