CVE-2023-5237 – Memberlite Shortcodes – Stored XSS via shortcode

CVE-2023-5237 – Memberlite Shortcodes – Stored XSS via shortcode

During a comprehensive assessment of the Memberlite Shortcodes plugin, a critical vulnerability was uncovered. This vulnerability enables threat actors to execute Stored Cross-Site Scripting (XSS) attacks by leveraging a shortcode within a new post. This security flaw has the potential to result in an account takeover, particularly when exploited by a contributor.

CVE-2023-5307 – Photos and Files Contest Gallery – Contact Form < 21.2.8.1 – Unauthenticated Stored XSS via HTTP Headers

CVE-2023-5307 – Photos and Files Contest Gallery – Contact Form < 21.2.8.1 – Unauthenticated Stored XSS via HTTP Headers

During the rigorous testing of the Photos and Files Contest Gallery – Contact Form plugin, a critical vulnerability was identified. This vulnerability allows unauthorized users to trigger a Stored Cross-Site Scripting (XSS) vulnerability, subsequently elevating their privileges to the administrator role. The root cause of this vulnerability lies in X-Forwarded-For Header Injection.