CVE-2023-5664 in Garden Gnome Package Plugin
Summary
by MITRE • 11/22/2023
The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ggpkg' shortcode in all versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 2.2.7 and fully patched in version 2.2.9.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The Garden Gnome Package plugin for WordPress represents a significant security vulnerability classified as CVE-2023-5664, affecting versions up to and including 2.2.8. This vulnerability manifests as a stored cross-site scripting flaw within the plugin's ggpkg shortcode functionality, creating a persistent threat vector that can compromise user sessions and execute malicious code. The vulnerability specifically targets the plugin's handling of user-supplied attributes within the shortcode implementation, where insufficient input sanitization and output escaping mechanisms fail to properly validate or encode potentially malicious content. Security researchers identified that this flaw allows authenticated attackers who possess contributor-level permissions or higher to inject arbitrary web scripts into pages that will execute whenever any user accesses those compromised pages, making it particularly dangerous in multi-user environments where contributors might have access to page editing capabilities.
The technical exploitation of this vulnerability occurs through the improper handling of user input within the ggpkg shortcode, which serves as an entry point for attackers to inject malicious scripts that persist in the database. When the shortcode processes user-supplied attributes, the plugin fails to adequately sanitize these inputs, allowing attackers to embed JavaScript code or other malicious payloads directly into the shortcode parameters. The vulnerability's persistence stems from the fact that these injected scripts are stored in the WordPress database rather than being executed only during the initial request, meaning the malicious code remains active and will execute whenever any user accesses the affected pages. This stored nature of the vulnerability aligns with CWE-79, which categorizes cross-site scripting flaws as a result of insufficient input validation and output escaping, making the vulnerability particularly dangerous as it can affect multiple users over extended periods without requiring repeated exploitation attempts.
The operational impact of CVE-2023-5664 extends beyond simple script execution, as authenticated attackers with contributor privileges can potentially escalate their privileges or harvest sensitive data from users who access compromised pages. The vulnerability's exploitation allows for session hijacking, data theft, and potential redirection to malicious websites, creating a comprehensive threat vector that can compromise entire WordPress installations. Additionally, the vulnerability's presence in versions up to 2.2.8 indicates a prolonged window of exposure where users were vulnerable to attacks, with partial mitigation provided in version 2.2.7 but full remediation only available in version 2.2.9. The attack surface is particularly concerning in environments where contributors have access to page editing capabilities, as this privilege level is commonly granted to trusted users who may not be security-aware, creating a realistic attack scenario where a compromised contributor account can serve as a foothold for broader system compromise.
Organizations affected by this vulnerability should immediately implement mitigation strategies including updating to version 2.2.9 or later, which contains the complete patch for this issue. Security administrators should also consider implementing additional protective measures such as monitoring for unauthorized shortcode usage, restricting contributor privileges where possible, and conducting regular security audits of WordPress plugins to identify similar vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1546.001 for 'Privilege Escalation through Exploitation of a Software Vulnerability', while also relating to T1566.002 for 'Phishing through Exploitation of a Software Vulnerability' as attackers can leverage the stored XSS to redirect users to malicious sites. System administrators should also consider implementing content security policies and web application firewalls to provide additional layers of protection against similar vulnerabilities, particularly in environments where updating plugins may be delayed due to compatibility concerns or deployment schedules.