CVE-2023-5252 in FareHarbor Plugin
Summary
by MITRE • 10/30/2023
The FareHarbor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The FareHarbor plugin for WordPress presents a critical stored cross-site scripting vulnerability identified as CVE-2023-5252 affecting versions through 3.6.7. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating a persistent security flaw that can be exploited by authenticated attackers. The vulnerability specifically targets user-supplied attributes within shortcode parameters, allowing malicious actors to inject malicious scripts that persist in the plugin's database and execute whenever affected pages are accessed.
The technical flaw resides in the plugin's failure to properly sanitize and escape user input before storing and rendering it within web pages. When administrators or users with contributor-level permissions create or modify content using FareHarbor shortcodes, the plugin does not adequately validate or escape attribute values, creating a vector for persistent XSS attacks. This weakness aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as a result of insufficient input validation and output escaping. The vulnerability's persistence is particularly concerning as stored XSS attacks can affect multiple users over time, with scripts executing automatically when legitimate users access compromised pages containing the malicious code.
The operational impact of this vulnerability extends beyond simple script injection, as it enables attackers with contributor-level permissions or higher to potentially escalate privileges, steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. This threat is particularly severe in WordPress environments where contributors and higher roles typically have significant access to content management and user-facing features. The vulnerability can be exploited to compromise user sessions, steal sensitive information, or manipulate content displayed to other users, making it a serious concern for WordPress administrators managing multiple user roles and content types.
Mitigation strategies for CVE-2023-5252 should prioritize immediate plugin updates to versions that address the sanitization and escaping vulnerabilities, with administrators monitoring for patches from the plugin developers. Additionally, implementing proper input validation at multiple layers including server-side sanitization, output escaping for all dynamic content, and role-based access controls can significantly reduce the attack surface. Organizations should also consider implementing web application firewalls and content security policies to detect and prevent malicious script execution. The vulnerability's classification under ATT&CK technique T1566.001 for credential access through phishing and T1059.001 for command and scripting interpreter demonstrates its potential for broader exploitation beyond simple XSS, making comprehensive security measures essential for protecting WordPress environments.