VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 27, 2023· Updated Aug 2, 2024

Webpushr < 4.35.0 - Unauthenticated Stored XSS

CVE-2023-5620

Description

The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing authorization checks allow unauthenticated visitors to modify plugin options, some of which are rendered unsanitized, enabling stored XSS."

Attack vector

An unauthenticated visitor on the site can change certain plugin options [ref_id=1]. Because the plugin does not prevent visitors from modifying these settings, an attacker can inject malicious script content into plugin options that are later rendered on the page. This leads to Stored Cross-Site Scripting (XSS) [CWE-79] [ref_id=1]. The attack requires no authentication and no special privileges.

Affected code

The advisory does not specify exact files or functions. The vulnerability affects the Web Push Notifications WordPress plugin (webpushr-web-push-notifications) before version 4.35.0 [ref_id=1].

What the fix does

The advisory states the vulnerability is fixed in version 4.35.0 of the plugin [ref_id=1]. No patch diff is provided in the bundle. The fix likely involves adding proper capability checks (e.g., `current_user_can()`) to the AJAX handlers or settings pages that save plugin options, ensuring only authorized users can modify them, and/or adding output escaping to prevent stored XSS.

Preconditions

  • networkThe attacker must be able to reach the WordPress site's plugin settings endpoints (no authentication required).
  • configThe plugin must be installed and active with a version prior to 4.35.0.

Reproduction

The advisory does not include explicit reproduction steps beyond the description that visitors can change plugin options [ref_id=1]. The linked WPScan page may contain a proof of concept, but its content is not provided in the bundle.

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.