During the evaluation of the Medialist plugin, security researchers discovered a critical vulnerability enabling Stored Cross-Site Scripting (XSS) attacks. This vulnerability allows contributors to embed malicious JavaScript code into new posts using a specific shortcode, leading to potential account takeover and other malicious activities.

Main info:

PluginMedialist < 1.4.1
All Time6 205
Active installations800+
Publicly PublishedJanuary 1, 2024
Last UpdatedJanuary 1, 2024
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5942
Plugin Security Certification by CleanTalk


September 27, 2023Plugin testing and vulnerability detection in the Media List plugin have been completed
September 27, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
November 15, 2023The author fixed the vulnerability and released the plugin update
January 1, 2024Registered CVE-2023-5942

Discovery of the Vulnerability

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover

Understanding of Stored XSS attack’s

Stored XSS vulnerabilities occur when user-supplied data is stored on a website’s server and later displayed to other users without proper sanitization. In WordPress, plugins often process user input to generate dynamic content such as posts or comments. Attackers can exploit this functionality by injecting malicious JavaScript code into posts or comments, which is then executed when other users view the affected content.

For example, in the Medialist plugin, the vulnerable shortcode allows contributors to embed media content into posts. By injecting JavaScript code into the shortcode attributes, an attacker can trigger arbitrary actions when unsuspecting users view the compromised content.

Exploiting the Stored XSS Vulnerability

To exploit the vulnerability, an attacker would craft a malicious post containing the vulnerable shortcode with embedded JavaScript code. This code would execute when the post is viewed by other users, potentially leading to account takeover or other malicious activities.

POC request:

[medialist style='” onmouseover=”alert(/XSS/)”‘ rml_folder=/var/www/html/wordpress globalitems=1 ]


The impact of this vulnerability is severe, as it allows attackers to compromise the integrity and security of WordPress websites. In real-world scenarios, an attacker could exploit this vulnerability to steal sensitive user data, spread malware, deface websites, or perform other malicious actions.

Recommendations for Improved Security

  • To mitigate the risk posed by Stored XSS vulnerabilities, developers should implement proper input validation and output sanitization techniques in their plugins. WordPress administrators should also keep their plugins up to date and monitor for security advisories from plugin developers. Additionally, users should exercise caution when interacting with user-generated content on websites and install security plugins that offer protection against XSS attacks.

Stay informed about security vulnerabilities and best practices by subscribing to security mailing lists, following security blogs, and participating in relevant forums or communities.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2023-5942 – Medialist – Stored XSS via shortcode – POC

Leave a Reply

Your email address will not be published. Required fields are marked *