CVE-2023-5741 in POWR Plugin
Summary
by MITRE • 11/13/2023
The POWR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'powr-powr-pack' shortcode in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-5741 affects the POWR plugin for WordPress, a widely used tool for adding interactive elements and widgets to websites. This plugin has been found to contain a stored cross-site scripting flaw that specifically impacts versions up to and including 2.1.0. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's powr-powr-pack shortcode implementation. Security researchers have determined that this weakness allows authenticated attackers who possess contributor-level permissions or higher to inject malicious scripts into web pages that will execute whenever any user accesses those compromised pages. The flaw represents a significant security risk as it enables persistent malicious code execution within the context of the victim's browser session.
The technical nature of this vulnerability can be categorized under CWE-79, which represents Cross-Site Scripting, specifically the stored variant where malicious scripts are permanently stored on the target server and executed whenever users access the affected pages. This particular implementation flaw occurs within the shortcode processing mechanism of the POWR plugin, where user-supplied attributes are not properly sanitized before being rendered in the output. The vulnerability affects the plugin's powr-powr-pack shortcode functionality, which allows users to embed various interactive elements such as social media feeds, contact forms, and other dynamic content. Attackers can exploit this by crafting malicious input within the shortcode attributes that gets stored in the database and subsequently executed when pages containing these shortcodes are rendered.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with a persistent foothold within WordPress installations. Contributors and higher-level users typically have the ability to create and edit posts, pages, and media, making this vulnerability particularly dangerous in multi-user environments where user permissions are not strictly enforced. When an attacker successfully injects malicious scripts through the powr-powr-pack shortcode, the injected code executes in the context of other users' browsers, potentially allowing for session hijacking, credential theft, data exfiltration, or further exploitation of the compromised systems. The stored nature of this XSS vulnerability means that the malicious code persists even after the initial attack, continuing to affect users until the malicious content is removed from the database.
Mitigation strategies for CVE-2023-5741 should prioritize immediate plugin updates to the latest available version that contains fixes for this vulnerability. Organizations should also implement strict input validation and output escaping mechanisms for all user-supplied content, particularly within shortcode implementations. Network monitoring and intrusion detection systems should be configured to detect suspicious shortcode usage patterns that may indicate exploitation attempts. Additionally, administrators should consider implementing role-based access controls to limit contributor-level permissions and ensure that only trusted users have the ability to modify content that could potentially be used for XSS attacks. The vulnerability aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments, though in this case the attack vector is through content modification rather than external phishing. Security teams should also conduct regular security audits of installed plugins and maintain up-to-date vulnerability databases to quickly identify and remediate similar issues across their WordPress installations.