CVE-2023-4960 in WCFM Marketplace Plugin
Summary
by MITRE • 01/11/2024
The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/03/2025
The vulnerability identified as CVE-2023-4960 affects the WCFM Marketplace plugin for WordPress, specifically versions up to and including 3.6.2. This represents a critical security flaw that exposes websites using this plugin to potential exploitation by malicious actors. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's implementation of the 'wcfm_stores' shortcode functionality. The issue is particularly concerning because it allows authenticated attackers who possess contributor-level permissions or higher to execute malicious code on victim systems.
The technical flaw manifests through the improper handling of user-supplied attributes within the wcfm_stores shortcode implementation. When legitimate users with appropriate privileges create or modify content containing this shortcode, the plugin fails to adequately sanitize the input parameters before processing them. This insufficient validation creates an opening for attackers to inject malicious JavaScript code that gets stored within the website's database. The vulnerability is classified as stored cross-site scripting because the malicious payload persists in the system and executes whenever any user accesses pages containing the compromised shortcode, making it particularly dangerous for widespread impact.
The operational impact of this vulnerability extends beyond simple data theft or defacement. Attackers can leverage this flaw to perform various malicious activities including session hijacking, credential theft, and redirection to phishing sites. The fact that the vulnerability requires only contributor-level permissions makes it especially dangerous as it can be exploited by users who have legitimate access to the website's administrative functions. This creates a significant risk for websites where contributor accounts may be shared with third parties or where account security is not properly maintained. The stored nature of the vulnerability means that the malicious code remains active until manually removed from the system, providing attackers with persistent access to compromised websites.
Organizations affected by this vulnerability should immediately upgrade to the latest version of the WCFM Marketplace plugin where the XSS flaw has been addressed. The mitigation strategy should include comprehensive monitoring of user activities and content modifications, particularly for users with contributor permissions or higher. Security teams should also implement additional input validation measures at the web application firewall level and consider implementing content security policies to limit the execution of unauthorized scripts. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of the principle of least privilege as outlined in the MITRE ATT&CK framework. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other plugins and themes that may be present in the WordPress ecosystem.