CVE-2023-5615 in Skype Legacy Buttons Plugin
Summary
by MITRE • 10/25/2023
The Skype Legacy Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skype-status' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/10/2026
The CVE-2023-5615 vulnerability affects the Skype Legacy Buttons plugin for WordPress, a widely used tool that enables website administrators to display Skype status and call buttons on their sites. This particular plugin has been identified as susceptible to stored cross-site scripting attacks through its 'skype-status' shortcode functionality, representing a significant security weakness that could be exploited by malicious actors with appropriate privileges. The vulnerability exists in all versions up to and including version 3.1, indicating that a substantial portion of users may be exposed to this risk.
The technical flaw stems from inadequate input sanitization and output escaping mechanisms within the plugin's code implementation. When users with contributor-level permissions or higher submit data through the plugin's shortcode attributes, the system fails to properly validate or escape the input before storing it in the database. This stored data is then subsequently rendered without proper sanitization, creating an environment where malicious scripts can be permanently embedded within the website's content. The vulnerability specifically targets the 'skype-status' shortcode, which processes user-supplied parameters and incorporates them into the generated HTML output without sufficient security controls.
The operational impact of this vulnerability is substantial, particularly for websites that rely on the Skype Legacy Buttons plugin and have multiple users with contributor privileges or higher. Attackers can leverage this weakness to inject malicious JavaScript code that will execute whenever any user accesses pages containing the compromised shortcode. This creates a persistent threat vector that can be used to steal user sessions, redirect visitors to malicious websites, or perform other harmful actions. The vulnerability is particularly concerning because it requires only contributor-level privileges to exploit, making it accessible to users who typically have limited administrative capabilities but still possess the ability to modify content.
The security implications extend beyond simple script injection, as this vulnerability aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and follows patterns consistent with ATT&CK technique T1566.001 - Phishing. The stored nature of the XSS vulnerability means that the malicious code remains persistent in the database and can affect multiple users over time. Organizations using this plugin are essentially creating a backdoor that allows attackers to maintain ongoing access to their user base through the compromised website infrastructure. The vulnerability also demonstrates poor security practices in input validation and output escaping that are fundamental to preventing cross-site scripting attacks.
Mitigation strategies should begin with immediate plugin updates to versions that address the identified security flaw, though users should verify that the updated version properly resolves the vulnerability before deployment. Organizations should implement additional security measures including role-based access control restrictions to limit who can modify content that utilizes the skype-status shortcode, and regular monitoring of website content for unauthorized script injections. The implementation of Content Security Policy headers can provide additional protection layers against script execution, while comprehensive input validation and output escaping mechanisms should be enforced throughout the plugin's codebase. System administrators should also consider conducting security audits of all installed plugins to identify similar vulnerabilities that may exist in other third-party components.