CVE-2023-4963 in WS Facebook Like Box Widget Plugininfo

Summary

by MITRE • 09/15/2023

The WS Facebook Like Box Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ws-facebook-likebox' shortcode in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/10/2026

The WS Facebook Like Box Widget plugin for WordPress presents a critical security vulnerability classified as CVE-2023-4963, which manifests as a stored cross-site scripting flaw affecting versions up to and including 5.0. This vulnerability resides within the plugin's handling of the 'ws-facebook-likebox' shortcode implementation, where insufficient input sanitization and output escaping mechanisms fail to properly validate user-supplied attributes before processing them. The flaw specifically targets the plugin's shortcode functionality, which allows users to embed Facebook like boxes on their WordPress sites through simple shortcode syntax.

The technical exploitation of this vulnerability occurs when authenticated attackers with contributor-level permissions or higher manipulate the shortcode attributes through the WordPress admin interface. These attackers can inject malicious JavaScript code directly into the plugin's attribute handling logic, which then gets stored within the WordPress database. When other users access pages containing the affected shortcode, the stored malicious script executes in their browsers, creating a persistent cross-site scripting vector that can affect any user who views the compromised content. This represents a classic stored XSS vulnerability pattern where malicious input is permanently saved and later executed without requiring additional user interaction.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities including session hijacking, credential theft, and redirection to malicious sites. The vulnerability's exploitation requires only contributor-level access, making it particularly dangerous in environments where multiple users have administrative privileges or where user roles are not properly restricted. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, creating a long-term threat that can affect numerous users over extended periods. This vulnerability directly maps to CWE-79, which describes cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through web application attacks.

Mitigation strategies for CVE-2023-4963 should prioritize immediate plugin updates to versions that address the sanitization and escaping deficiencies. Administrators should implement strict input validation on all user-supplied shortcode attributes and ensure proper output escaping before rendering any dynamic content. Role-based access controls should be reviewed to limit contributor-level permissions where possible, and regular security audits of installed plugins should be conducted to identify similar vulnerabilities. Additionally, implementing content security policies and monitoring for suspicious shortcode usage patterns can provide additional layers of protection against exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly in content management systems where user-generated content processing is common.

Responsible

Wordfence

Reservation

09/14/2023

Disclosure

09/15/2023

Moderation

accepted

CPE

ready

EPSS

0.00355

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!