CVE-2023-5745 in Reusable Text Blocks Plugin
Summary
by MITRE • 10/25/2023
The Reusable Text Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text-blocks' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-5745 affects the Reusable Text Blocks plugin for WordPress, a widely used tool that allows users to create and manage reusable content blocks within their WordPress sites. This particular flaw exists in versions up to and including 1.5.3, representing a significant security risk for WordPress installations that rely on this plugin for content management. The vulnerability manifests as a stored cross-site scripting issue that can be exploited by attackers who have already gained author-level privileges or higher within the WordPress environment.
The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's implementation of the 'text-blocks' shortcode functionality. When users with author-level permissions or above create or modify text blocks using this shortcode, the plugin fails to properly sanitize user-supplied attributes before storing them in the database. This insufficient validation allows malicious code to be permanently stored within the WordPress content management system, making it persistent across different user sessions and page accesses. The vulnerability specifically impacts how the plugin processes and renders user input, creating an environment where attacker-controlled scripts can be executed without proper security controls.
The operational impact of CVE-2023-5745 extends beyond simple script injection, as it provides authenticated attackers with a persistent means of executing malicious code within the WordPress environment. Once an attacker gains author-level access or higher, they can inject scripts that will execute whenever any user accesses a page containing the compromised text block. This creates a potential attack vector for various malicious activities including credential theft, session hijacking, data exfiltration, and further privilege escalation within the WordPress installation. The stored nature of the vulnerability means that the malicious scripts remain active even after the initial injection, creating a persistent threat that can affect multiple users over time.
Security professionals should recognize this vulnerability as a classic example of CWE-79 - Improper Neutralization of Input During Web Page Generation, which is categorized under the OWASP Top Ten as a critical web application security risk. The attack pattern aligns with techniques described in the MITRE ATT&CK framework under T1059.001 - Command and Scripting Interpreter: PowerShell, where attackers can establish persistent execution channels through compromised content management systems. Organizations should immediately implement mitigation strategies including updating to the latest version of the Reusable Text Blocks plugin where available, implementing additional input validation measures, and monitoring for suspicious content modifications. The vulnerability also highlights the importance of principle of least privilege in WordPress environments, as restricting user permissions can significantly reduce the impact of such attacks by limiting the scope of potential exploitation.