CVE-2023-0070 in ResponsiveVoice Text to Speech Plugin
Summary
by MITRE • 02/06/2023
The ResponsiveVoice Text To Speech WordPress plugin before 1.7.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2025
The vulnerability identified as CVE-2023-0070 affects the ResponsiveVoice Text To Speech WordPress plugin, specifically versions prior to 1.7.7, presenting a critical security risk through stored cross-site scripting flaws. This issue arises from insufficient input validation and output escaping mechanisms within the plugin's shortcode implementation, creating an exploitable vector that could compromise user sessions and enable unauthorized actions. The vulnerability impacts WordPress environments where the plugin is installed and actively used, particularly affecting sites that rely on contributor-level user roles and above for content management.
The technical flaw manifests in the plugin's handling of shortcode attributes where user-supplied input is not adequately sanitized before being rendered back to the page. When administrators or contributors embed the plugin's shortcode within posts or pages, the vulnerable code fails to escape special characters and malicious script payloads that may have been injected through the shortcode parameters. This lack of proper sanitization creates a persistent XSS vulnerability where malicious scripts can be stored within the WordPress content and executed whenever the affected page is loaded by any user with appropriate permissions. The vulnerability is particularly concerning as it requires only contributor-level privileges, making it accessible to users who typically have limited administrative capabilities.
The operational impact of this vulnerability extends beyond simple script execution, potentially enabling attackers to perform session hijacking, deface websites, steal sensitive user data, or redirect victims to malicious domains. The stored nature of the vulnerability means that once exploited, the malicious payloads persist until manually removed from the content, creating an ongoing threat vector that can affect multiple users over extended periods. Attackers could leverage this vulnerability to inject malicious JavaScript code that could harvest cookies, redirect users to phishing sites, or even install additional malware. The vulnerability's presence in a widely-used text-to-speech plugin increases the potential attack surface significantly, as many WordPress sites rely on such functionality for accessibility or content enhancement purposes.
Mitigation strategies for CVE-2023-0070 should prioritize immediate plugin updates to version 1.7.7 or later, which contain the necessary patches addressing the input validation and output escaping deficiencies. Organizations should also implement additional security measures including regular security audits of installed plugins, implementing content security policies to limit script execution, and monitoring user activity for suspicious shortcode usage. The vulnerability aligns with CWE-79, which categorizes cross-site scripting as a common weakness in web applications, and represents a specific instance of how insufficient input validation can create persistent security risks. From an ATT&CK framework perspective, this vulnerability maps to technique T1566.001 for initial access through malicious content, and potentially T1059 for command and control through script execution, making it a significant concern for defenders implementing comprehensive security postures.