CVE-2023-5743 in Telephone Number Linker Plugin
Summary
by MITRE • 11/07/2023
The Telephone Number Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'telnumlink' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The Telephone Number Linker plugin for WordPress presents a critical security vulnerability classified as CVE-2023-5743, affecting all versions up to and including 1.2. This vulnerability manifests as a stored cross-site scripting flaw within the plugin's 'telnumlink' shortcode functionality, representing a significant threat to WordPress site integrity and user security. The flaw stems from inadequate input sanitization and output escaping mechanisms that fail to properly validate or escape user-supplied attributes before processing them within the shortcode implementation. Attackers exploiting this vulnerability can inject malicious JavaScript code that persists within the plugin's shortcode parameters, making the vulnerability particularly dangerous as it allows for long-term persistence of malicious payloads.
The technical nature of this vulnerability places it firmly within the scope of CWE-79, which defines Cross-Site Scripting (XSS) as a critical weakness in web applications where untrusted data is improperly incorporated into web pages. The vulnerability specifically affects authenticated attackers who possess contributor-level permissions or higher, which represents a concerning threat vector since contributors typically have the ability to modify content and create posts or pages. This access level allows attackers to inject malicious code through the plugin's shortcode functionality, which then executes whenever any user accesses pages containing the compromised shortcode. The stored nature of this vulnerability means that the malicious scripts remain persistent within the affected WordPress installation until manually removed, creating ongoing security risks for all users who encounter the compromised content.
The operational impact of CVE-2023-5743 extends beyond simple script execution, as it provides attackers with potential access to sensitive user data and session information through the execution of malicious JavaScript. The vulnerability enables attackers to perform various malicious activities including but not limited to cookie theft, session hijacking, and redirection to malicious sites. This threat is particularly concerning in enterprise WordPress environments where contributors may have access to sensitive business information or where the plugin is used extensively across multiple sites. The attack surface expands significantly since the malicious scripts execute in the context of the victim's browser session, potentially allowing attackers to impersonate users or access restricted administrative functions. The vulnerability also aligns with ATT&CK technique T1566, which covers social engineering through malicious links and content injection methods that can be leveraged for credential theft and privilege escalation.
Mitigation strategies for CVE-2023-5743 must prioritize immediate plugin updates to versions that address the input sanitization and output escaping deficiencies. Organizations should implement strict permission controls to limit contributor access to plugin functionality where possible, as this reduces the attack surface for potential exploitation. The implementation of Content Security Policy (CSP) headers can provide additional protection against script execution, though this should complement rather than replace proper input validation. Regular security audits of WordPress plugins and themes should include verification of input sanitization practices and output escaping mechanisms to prevent similar vulnerabilities from emerging. Security monitoring should focus on detecting unauthorized shortcode modifications and suspicious content injections within WordPress installations. Additionally, implementing web application firewalls with XSS detection capabilities can provide an additional layer of protection for WordPress environments that may not immediately update vulnerable plugins. The vulnerability highlights the critical importance of proper input validation and output escaping practices in web application development, particularly for plugins that process user-supplied content through shortcode mechanisms.