CVE-2023-5161 in Modal Window Plugin
Summary
by MITRE • 09/27/2023
The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/10/2026
The Modal Window plugin for WordPress presents a critical security vulnerability classified as CVE-2023-5161, affecting versions through 5.3.5. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating a persistent cross-site scripting attack vector that can be exploited by authenticated users possessing contributor-level permissions or higher. The flaw exists within the plugin's handling of user-supplied attributes, where insufficient validation allows malicious code to be stored and executed within the WordPress environment.
The technical implementation of this vulnerability occurs when administrators or users with contributor privileges create or modify content using the plugin's shortcode functionality. The plugin fails to properly sanitize or escape user-provided attributes before rendering them in the output, allowing attackers to inject malicious JavaScript code through the shortcode parameters. This stored XSS vulnerability is particularly dangerous because the injected scripts persist in the database and execute whenever any user accesses pages containing the malicious content, regardless of whether they have administrative privileges. The vulnerability operates at the application layer and specifically targets the WordPress content management system's shortcode processing mechanisms.
From an operational perspective, this vulnerability creates significant risk for WordPress installations using the affected plugin version, as it allows attackers to escalate privileges and potentially compromise the entire WordPress environment. The attack requires only contributor-level access, which is often granted to trusted users or content editors, making the vulnerability particularly concerning for sites with multiple user roles. Once exploited, attackers can execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, data theft, or further privilege escalation. The stored nature of the vulnerability means that the malicious code remains persistent and can affect multiple users over time.
Security professionals should immediately update the Modal Window plugin to version 5.3.6 or later, which contains the necessary patches to address the input sanitization and output escaping deficiencies. Organizations should also implement comprehensive monitoring of user activities within the WordPress admin interface, particularly for shortcode modifications and content updates. The vulnerability aligns with CWE-79 (Cross-site Scripting) and can be mapped to ATT&CK technique T1548.003 (Abuse Elevation Control Mechanism) as it allows privilege escalation through the exploitation of user permissions. Additionally, implementing proper input validation and output escaping practices, as recommended by OWASP and the WordPress security hardening guidelines, would prevent similar vulnerabilities from occurring in other plugins or custom implementations.