Attack Vectors

CVE-2023-27621 is a Medium severity (CVSS 4.4) Stored Cross-Site Scripting (Stored XSS) vulnerability affecting the Livestream Notice WordPress plugin (livestream-notice) in versions up to and including 1.2.0.

The attack requires an authenticated user with Administrator (or higher) access to submit content that contains malicious script code. Once inserted, that script can execute in a visitor’s browser whenever someone loads the affected page or admin view where the injected content is displayed.

This issue is specifically relevant in WordPress multisite environments and in installations where unfiltered_html has been disabled. In these configurations, even trusted roles can be constrained in what HTML they are allowed to add—making gaps in plugin sanitization and escaping more consequential.

Security Weakness

The root cause is insufficient input sanitization and output escaping within Livestream Notice (through version 1.2.0). In practical terms, the plugin does not adequately clean risky input at the time it is saved and/or does not safely encode it when it is later displayed.

Stored XSS is a business-relevant risk because it turns your site into a delivery mechanism for unwanted scripts—potentially impacting staff, partners, and customers who view affected pages.

Remediation: Update Livestream Notice to version 1.3.0 or a newer patched release. (Source: Wordfence vulnerability record)

Technical or Business Impacts

While this vulnerability requires administrator-level access, it still presents meaningful risk—especially for organizations with multiple admins, shared credentials, outsourced site management, or complex multisite governance.

Potential impacts include:

Brand and customer trust damage: Users exposed to unexpected pop-ups, redirects, or altered page content may lose confidence in the organization’s professionalism and security.

Session and account risk: Depending on where the script executes, it may be able to interact with a user’s logged-in session in their browser, increasing the risk of unauthorized actions occurring under a legitimate user’s account.

Compliance and audit concerns: For regulated organizations, evidence that a production web property can deliver injected scripts may trigger security findings, increased scrutiny, and remediation costs—particularly in multisite environments where the blast radius can be broader.

Similar Attacks

Stored XSS has been used in real-world incidents to spread rapidly and undermine trust by executing unwanted code in users’ browsers. Examples include:

The “Samy” MySpace worm (a classic stored XSS case that propagated by injecting script into profile pages).

The 2010 “Twitter worm” incident (an XSS-driven event that spread by causing actions to occur when users viewed malicious content).

For reference on this specific vulnerability: CVE-2023-27621 record.