PT-2023-20177 · WordPress · Wpcs – Wordpress Currency Switcher Professional
Alex Thomas
·
Published
2023-06-09
·
Updated
2023-06-14
·
CVE-2023-2558
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WPCS – WordPress Currency Switcher Professional plugin versions up to, and including, 1.1.9
Description
The issue arises from insufficient input sanitization and output escaping on user-supplied attributes in the
wpcs current currency shortcode. This allows authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages. The injected scripts will execute whenever a user accesses the injected page.Recommendations
For versions up to, and including, 1.1.9, update to a version that addresses the insufficient input sanitization and output escaping issue in the
wpcs current currency shortcode.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wpcs – Wordpress Currency Switcher Professional