CVE-2023-2634 in Get Your Number Plugin
Summary
by MITRE • 06/05/2023
The Get your number WordPress plugin through 1.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/26/2025
The vulnerability identified as CVE-2023-2634 affects the Get your number WordPress plugin version 1.1.3 and earlier, representing a critical security flaw that enables stored cross-site scripting attacks. This issue specifically targets high-privilege users such as administrators who possess the necessary capabilities to modify plugin settings within WordPress environments. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's configuration handling processes, creating a persistent security risk that can affect multiple users within the compromised system.
The technical flaw manifests in the plugin's failure to properly sanitize user-supplied data before storing it in the WordPress database and subsequently rendering it on web pages without appropriate HTML escaping. This oversight allows attackers with administrative privileges to inject malicious JavaScript code through the plugin's settings interface, which then gets executed whenever other users view the affected pages. The vulnerability is particularly concerning because it can bypass WordPress's default security measures, including the unfiltered_html capability restriction that is commonly enforced in multisite configurations to prevent unauthorized code execution. This means that even in environments where standard security protections are in place, administrators remain vulnerable to this specific attack vector.
The operational impact of CVE-2023-2634 extends beyond simple script execution, potentially allowing attackers to perform session hijacking, defacement of website content, data exfiltration, and further compromise of the WordPress installation. In multisite environments, the vulnerability becomes even more dangerous as it can affect multiple sites within a single network, potentially enabling attackers to gain access to sensitive information across various networked installations. The stored nature of the XSS vulnerability means that the malicious payload persists in the database and continues to execute until manually removed, creating a long-term security threat that can affect users for extended periods without detection.
From a cybersecurity perspective, this vulnerability aligns with CWE-79 (Cross-Site Scripting) and represents a classic example of how insufficient input validation and output escaping can create persistent security weaknesses in web applications. The ATT&CK framework categorizes this as a technique involving code injection and privilege escalation, as it allows attackers to leverage existing administrative access to execute malicious code. Organizations should implement immediate mitigations including updating to the patched version of the Get your number plugin, reviewing and hardening WordPress security configurations, and conducting thorough security audits of all installed plugins. Additionally, implementing proper input validation and output escaping mechanisms within the WordPress environment can help prevent similar vulnerabilities from occurring in other custom or third-party components. The vulnerability underscores the importance of maintaining up-to-date software, implementing proper security testing procedures, and ensuring that all user inputs are properly sanitized before being processed or stored within web applications.