CVE-2023-5980 in BSK Forms Blacklist Plugininfo

Summary

by MITRE • 12/26/2023

The BSK Forms Blacklist WordPress plugin before 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/18/2025

The vulnerability identified as CVE-2023-5980 affects the BSK Forms Blacklist WordPress plugin version 3.7 and earlier, representing a critical security flaw that undermines the integrity of WordPress multisite environments. This issue stems from inadequate input sanitization and output escaping mechanisms within the plugin's administrative settings, creating a pathway for persistent cross-site scripting attacks that can compromise high-privilege accounts.

The technical flaw manifests in the plugin's failure to properly sanitize user-supplied data when processing form blacklist configurations. When administrators configure the plugin settings, the input values are not adequately filtered or escaped before being stored and subsequently rendered in the administrative interface. This vulnerability specifically targets high-privilege users such as administrators who possess the capability to modify plugin settings, making it particularly dangerous in multi-tenant WordPress environments where multiple sites share a single installation. The weakness becomes more pronounced in multisite configurations where the unfiltered_html capability is typically restricted to prevent XSS attacks, yet the vulnerability allows bypassing these protections.

The operational impact of this stored cross-site scripting vulnerability extends beyond simple data theft or defacement. An attacker with administrative privileges can inject malicious scripts that execute in the context of other administrators or users with similar privileges, potentially leading to complete compromise of the affected WordPress installation. The stored nature of this vulnerability means that the malicious payloads persist even after the initial injection, continuously affecting users who access the affected administrative interfaces. This characteristic makes the vulnerability particularly insidious as it can remain undetected for extended periods while continuously compromising user sessions and potentially escalating to full system compromise.

This vulnerability maps directly to CWE-79 which describes Cross-Site Scripting flaws, and aligns with ATT&CK technique T1566.001 for Phishing through Social Engineering, as the malicious scripts could be used to harvest credentials or manipulate administrative functions. The specific nature of this vulnerability also relates to ATT&CK technique T1078.004 for Valid Accounts - Cloud Accounts, as compromised administrative sessions could be leveraged for further lateral movement within cloud-hosted WordPress environments. Organizations should implement immediate patching measures to upgrade to version 3.7 or later of the BSK Forms Blacklist plugin, while also reviewing their multisite configuration policies to ensure that unfiltered_html capabilities are appropriately restricted. Additionally, monitoring for suspicious administrative activities and implementing web application firewalls can provide additional defense-in-depth measures against exploitation attempts.

Reservation

11/07/2023

Disclosure

12/26/2023

Moderation

accepted

CPE

ready

EPSS

0.00379

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!