CVE-2023-5234 in Related Products for WooCommerce Plugin
Summary
by MITRE • 11/22/2023
The Related Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'woo-related' shortcode in versions up to, and including, 3.3.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The CVE-2023-5234 vulnerability affects the Related Products for WooCommerce plugin, a popular WordPress extension that enables merchants to display related products on their e-commerce sites. This plugin version up to and including 3.3.15 contains a critical stored cross-site scripting flaw that stems from inadequate input validation and output escaping mechanisms. The vulnerability specifically impacts the 'woo-related' shortcode functionality, which is designed to dynamically generate product listings based on user-defined parameters. Attackers exploiting this weakness can manipulate the plugin's behavior by injecting malicious scripts through shortcode attributes, creating a persistent threat that remains active until manually removed from the WordPress database.
The technical flaw resides in the plugin's failure to properly sanitize and escape user-supplied input parameters within the shortcode implementation. When administrators or contributors with appropriate permissions create or modify posts containing the 'woo-related' shortcode, they can inject malicious JavaScript code through attributes such as product IDs, categories, or display parameters. The plugin processes these inputs without adequate filtering, allowing attackers to embed script tags, event handlers, or other malicious payloads that get stored in the WordPress database. These stored scripts execute whenever any user accesses pages containing the compromised shortcode, making the vulnerability particularly dangerous as it can affect multiple users without requiring them to click on specific links or perform additional actions.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent backdoor for attackers to compromise user sessions and potentially escalate privileges within the WordPress environment. Authenticated attackers with contributor-level permissions or higher can leverage this vulnerability to execute arbitrary code in the context of a victim's browser, potentially stealing session cookies, modifying product displays, redirecting users to malicious sites, or even injecting additional malicious plugins. The stored nature of the vulnerability means that once a malicious shortcode is injected, it remains active until manually removed from the database, providing attackers with long-term access to compromised sites. This makes the vulnerability particularly concerning for e-commerce platforms where contributor users may have limited security awareness and could inadvertently introduce malicious code during routine content management activities.
Organizations should immediately update to the patched version of the Related Products for WooCommerce plugin to remediate this vulnerability. The mitigation strategy should include comprehensive monitoring of user activity and shortcode usage within WordPress environments, particularly for users with contributor permissions or higher. Security teams should implement input validation controls at the application level to prevent unauthorized script injection, and consider implementing web application firewalls to detect and block suspicious shortcode parameters. Additionally, administrators should review and restrict contributor permissions where possible, ensuring that only trusted users have the ability to modify content that includes dynamic shortcode parameters. This vulnerability aligns with CWE-79 (Cross-Site Scripting) and represents a significant risk under ATT&CK technique T1566.001 (Phishing via Social Engineering) and T1059.007 (Command and Scripting Interpreter: JavaScript), emphasizing the need for layered security approaches that combine patch management, input validation, and user access controls to protect against such persistent threats.