CVE-2023-5205 in Add Custom Body Class Plugininfo

Summary

by MITRE • 10/25/2023

The Add Custom Body Class plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_custom_body_class' value in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/10/2026

The vulnerability identified as CVE-2023-5205 affects the Add Custom Body Class plugin for WordPress, specifically targeting versions up to and including 1.4.1. This represents a critical security flaw that enables stored cross-site scripting attacks through improper input validation and output escaping mechanisms. The vulnerability is particularly concerning because it requires only contributor-level access or higher, making it accessible to users who should normally have restricted permissions within a WordPress environment. The plugin's failure to adequately sanitize user input creates a persistent vector for malicious code injection that can compromise the entire WordPress installation.

The technical flaw stems from insufficient input sanitization of the 'add_custom_body_class' parameter, which allows attackers to inject malicious scripts that are then stored within the WordPress database. When legitimate users access pages containing these injected scripts, the malicious code executes in their browsers, creating a persistent threat that can affect multiple users over time. This stored XSS vulnerability operates at the application level and falls under CWE-79, which specifically addresses cross-site scripting flaws where untrusted data is improperly sanitized before being returned to users. The vulnerability demonstrates a classic failure in input validation and output encoding practices that are fundamental to preventing web application attacks.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to manipulate user sessions, steal cookies, redirect users to malicious sites, or even perform actions on behalf of authenticated users. Since contributors and higher roles typically have access to various content management functions, attackers could potentially leverage this vulnerability to escalate privileges or compromise other users within the WordPress environment. The persistent nature of stored XSS means that once the malicious code is injected, it will continue to execute whenever affected pages are accessed, creating a long-term threat vector that can be difficult to detect and remove. This vulnerability aligns with ATT&CK technique T1566.001, which covers the exploitation of web applications through cross-site scripting attacks.

Mitigation strategies for CVE-2023-5205 should begin with immediate plugin updates to versions that address the sanitization and escaping issues. Organizations should implement strict input validation measures that sanitize all user-provided data before storing it in the database, particularly for parameters that will be rendered in HTML contexts. Additionally, role-based access controls should be reviewed to ensure that users with contributor-level permissions have appropriate restrictions on their ability to modify core system elements. Network monitoring should be enhanced to detect unusual script injection patterns, and regular security audits should be conducted to identify potential injection points within WordPress installations. Implementing Content Security Policy headers can provide additional defense-in-depth measures against script execution, while regular security patch management ensures that known vulnerabilities are addressed promptly. The vulnerability serves as a reminder of the critical importance of proper input sanitization and output escaping in preventing persistent web application attacks.

Responsible

Wordfence

Reservation

09/26/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00312

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!