Attack Vectors

CVE-2023-47654 is a Medium-severity (CVSS 6.4) Stored Cross-Site Scripting (XSS) vulnerability affecting the BZScore – Live Score WordPress plugin (slug: bzscore-live-score) in versions 1.03 and earlier.

The key attack path is through the plugin’s shortcode(s). If a user with at least Contributor permissions can add or edit content that includes the affected shortcode and its attributes, they may be able to place malicious script content into a page or post.

Because this is stored XSS, the injected script can run later for any visitor who loads the affected page, including administrators, employees, partners, or customers—depending on where the shortcode is used (blog posts, landing pages, or other content surfaces).

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping of user-supplied shortcode attributes in BZScore – Live Score up to version 1.03. This weakness allows an authenticated user (Contributor+) to inject arbitrary scripts that the site may later render to other users.

In practical terms, the plugin does not adequately protect against unsafe content being saved and then displayed back in the browser, creating an opportunity for script execution in the context of your website.

Remediation: Update BZScore – Live Score to version 1.6.0 or a newer patched version. Reference: Wordfence vulnerability advisory. CVE record: CVE-2023-47654.

Technical or Business Impacts

Stored XSS is often a business-risk issue, not just a technical flaw. If exploited, it can undermine trust in your brand and disrupt marketing and revenue operations.

Potential impacts include:

Account and session risk: Script injection can be used to target logged-in users (including admins) and may help an attacker take unauthorized actions in the user’s browser session.

Data exposure and compliance concerns: Injected scripts can be used to collect form entries or other on-page information. If customer or employee data is involved, this can trigger incident response and regulatory/compliance obligations.

Brand and campaign damage: Malicious code on landing pages can redirect users, alter page content, insert unwanted ads, or degrade the user experience—directly impacting conversion rates and brand credibility.

Operational disruption: Investigation, cleanup, and communications (internal and external) consume time and budget, and can pause campaigns while pages are reviewed and restored.

Similar Attacks

Script injection on trusted web pages has been associated with high-profile incidents where attackers inserted or modified code to capture customer data or alter user experiences. Examples include:

Ticketmaster (2018) – customer payment data theft linked to third-party script compromise
British Airways (2018) – ICO enforcement notice following a web skimming incident
Newegg (2018) – Magecart-style web skimming via injected code on checkout pages