CVE-2023-4888 in Simple Like Page Plugin
Summary
by MITRE • 11/07/2023
The Simple Like Page Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sfp-page-plugin' shortcode in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The Simple Like Page Plugin for WordPress represents a significant security vulnerability classified as CVE-2023-4888, which affects versions up to and including 1.5.1. This vulnerability manifests as a stored cross-site scripting flaw that specifically targets the plugin's 'sfp-page-plugin' shortcode implementation. The flaw arises from inadequate input sanitization and output escaping mechanisms within the plugin's codebase, creating a persistent security risk that can be exploited by authenticated attackers possessing contributor-level privileges or higher. The vulnerability's impact extends beyond simple script execution as it allows attackers to inject malicious web scripts into pages that will automatically execute whenever any user accesses those compromised pages, effectively creating a persistent backdoor within the WordPress environment.
The technical nature of this vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting flaws in web applications. This classification indicates that the plugin fails to properly validate and sanitize user-supplied input parameters that are subsequently rendered in web pages without adequate escaping mechanisms. The stored nature of this XSS vulnerability means that malicious scripts are permanently embedded within the WordPress database rather than existing only during a single request, making the attack more persistent and harder to detect. The vulnerability's exploitation requires minimal privileges, as attackers only need contributor-level access or higher, which is particularly concerning since this permission level is often granted to trusted users who may not be fully security-aware. The attack vector specifically targets the sfp-page-plugin shortcode, suggesting that the plugin's shortcode implementation lacks proper sanitization of attributes passed to it, allowing malicious payloads to be stored and executed in subsequent page views.
From an operational perspective, this vulnerability creates a substantial risk to WordPress sites utilizing the Simple Like Page Plugin, as it enables attackers to execute arbitrary scripts in the context of any user who views affected pages. The implications extend beyond simple data theft or defacement, as attackers could potentially establish persistent access through the execution of malicious JavaScript that could harvest user credentials, redirect traffic to malicious sites, or even deploy additional malware. The vulnerability affects any user who accesses pages containing the compromised shortcode, making it particularly dangerous for sites with high user traffic or those that frequently update content. The fact that this vulnerability requires only contributor-level permissions makes it especially concerning for organizations that grant these privileges to multiple users, as it significantly increases the attack surface and potential for successful exploitation.
The recommended mitigations for this vulnerability include immediate patching of the Simple Like Page Plugin to version 1.5.2 or later, which should contain the necessary sanitization and escaping fixes. Organizations should also implement additional security measures such as restricting contributor-level permissions to only trusted individuals, monitoring for unauthorized shortcode usage, and conducting regular security audits of installed plugins. Network-based security controls can help detect and prevent exploitation attempts, while endpoint protection solutions can provide additional layers of defense against malicious script execution. The vulnerability demonstrates the importance of proper input validation and output escaping practices in web application development, as outlined in the OWASP Top Ten security framework. Administrators should also consider implementing web application firewalls to provide additional protection against similar vulnerabilities in other plugins or themes. Regular security assessments of WordPress installations, including vulnerability scanning and penetration testing, remain essential practices to identify and remediate such security flaws before they can be exploited by malicious actors.