CVE-2023-2436 MEDIUM

CVE-2023-2436: Blog-in-Blog <= 2.0.0 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

Vendor Timhodson

Product Blog-in-Blog

Weakness CWE-79 · XSS

Published May 31, 2023

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

4.4/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blog_in_blog' shortcode in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Key dates

02Disclosure timeline

May 31, 2023 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-2436 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-49955 WordPress WP Smart Flexslider Plugin <= 2.5 - Cross Site Scripting (XSS) Vulnerability CVE-2025-62295 Stored XSS in SOPlanning CVE-2023-3083 Cross-site Scripting (XSS) - Stored in nilsteampassnet/teampass CVE-2025-1287 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets CVE-2025-22261 WordPress WP FullCalendar plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability