First published: Fri Jun 09 2023(Updated: )
The Locatoraid Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.9.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Plainware Locatoraid | <=3.9.14 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-2031 is a vulnerability in the Locatoraid Store Locator plugin for WordPress.
CVE-2023-2031 has a severity of medium with a CVSS score of 5.4.
CVE-2023-2031 affects versions up to and including 3.9.14 of the Locatoraid Store Locator plugin for WordPress.
The CVE-2023-2031 vulnerability can be exploited through stored cross-site scripting (XSS) via the plugin's shortcode(s).
Yes, the fix for CVE-2023-2031 is to upgrade to a version of the Locatoraid Store Locator plugin for WordPress that is not affected by the vulnerability.