CVE-2023-5567 in QR Code Tag Plugin
Summary
by MITRE • 11/07/2023
The QR Code Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'qrcodetag' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The QR Code Tag plugin for WordPress represents a critical security vulnerability classified as CVE-2023-5567, affecting versions up to and including 1.0. This vulnerability manifests as a stored cross-site scripting flaw that exploits the 'qrcodetag' shortcode functionality, creating a persistent threat vector within WordPress environments. The vulnerability specifically targets the plugin's handling of user-supplied attributes, demonstrating a fundamental failure in input validation and output sanitization mechanisms. Attackers with contributor-level privileges or higher can leverage this weakness to inject malicious scripts that persist in the system, making it particularly dangerous for multi-user WordPress installations where various permission levels exist. The stored nature of this XSS vulnerability means that malicious code remains embedded in the website's database and executes every time affected pages are accessed, creating a continuous attack surface.
The technical flaw underlying CVE-2023-5567 stems from inadequate sanitization of user input within the plugin's shortcode processing logic. When administrators or authorized users create or edit content containing the qrcodetag shortcode with malicious attributes, the plugin fails to properly escape or validate these inputs before storing them in the WordPress database. This insufficient input sanitization creates a pathway for attackers to inject JavaScript code, HTML content, or other malicious payloads that are then executed in the browsers of unsuspecting visitors who access pages containing the compromised shortcode. The vulnerability operates at the intersection of poor input validation and output escaping, where the plugin trusts user-provided data without proper verification or sanitization, directly correlating to CWE-79 - Improper Neutralization of Input During Web Page Generation. This weakness allows attackers to manipulate the plugin's behavior and potentially escalate their privileges or steal sensitive information from authenticated users.
The operational impact of CVE-2023-5567 extends beyond simple script injection, as it provides attackers with persistent access to compromised WordPress installations. Once a malicious shortcode is stored, it executes automatically whenever any user accesses the affected pages, potentially leading to session hijacking, credential theft, or further exploitation through browser-based attacks. The vulnerability affects all users who can access the WordPress editor or content management interface, making it particularly concerning for sites with multiple contributors or editors. Attackers could use this vulnerability to redirect users to malicious domains, inject tracking scripts, or even deploy more sophisticated attacks such as credential phishing or malware delivery. The persistent nature of stored XSS means that even if administrators later remove the malicious content, the scripts remain active in the database until manually cleaned, creating an ongoing security risk that could compromise site integrity and user data.
Organizations affected by CVE-2023-5567 should immediately implement several mitigation strategies to protect their WordPress installations. The most critical step involves upgrading to the latest version of the QR Code Tag plugin where the vulnerability has been patched, though administrators should verify that the update properly addresses the XSS vulnerability. Additionally, implementing strict input validation and output escaping measures within the WordPress environment can help prevent similar issues in other plugins or themes. Network monitoring and intrusion detection systems should be configured to identify unusual script injections or suspicious shortcode usage patterns. Administrators should also consider implementing content security policies to limit the execution of unauthorized scripts and restrict the capabilities of stored content. According to ATT&CK framework, this vulnerability maps to T1059.007 - Command and Scripting Interpreter: JavaScript, as it enables attackers to execute JavaScript code through the vulnerable shortcode. Regular security audits and penetration testing should be conducted to identify other potential XSS vulnerabilities in the WordPress ecosystem, particularly focusing on user-generated content handling and shortcode implementations. The vulnerability also highlights the importance of principle of least privilege, as attackers only require contributor-level access to exploit this issue, emphasizing the need for robust permission management in WordPress installations.