CVE-2023-5049 — Cross-site Scripting in Rafflepress

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

CNA6.4

EPSS

0.1%

top 74.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Seedprod Rafflepress

Timeline

PublishedOct 30

Latest updateApr 11

Description

The Giveaways and Contests by RafflePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rafflepress' and 'rafflepress_gutenberg' shortcode in versions up to, and including, 1.12.0 due to insufficient input sanitization and output escaping on 'giframe' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected pa…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDseedprod/rafflepress1.12.0

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

VulDB

RafflePress Giveaways and Contests Plugin up to 1.12.0 on WordPress Shortcode cross site scripting (ID 2976620)↗2026-04-11

▶

GHSA

GHSA-rxvw-rgx9-7hq4: The Giveaways and Contests by RafflePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rafflepress' and 'rafflepress_gut↗2023-10-30

▶

CVEList

Giveaways and Contests by RafflePress <= 1.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode↗2023-10-30

▶