CVE-2023-0087 Information

Description

The Swifty Page Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘spm_plugin_options_page_tree_max_width’ parameter in versions up to and including 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/8550a405-9fa2-41a3-b556-05ff9f577ce4 https://plugins.trac.wordpress.org/browser/swifty-page-manager/trunk/view/page_tree.php?rev=1555394#L174