WP Matterport Shortcode < 2.1.8 – Contributor+ Stored XSS via shortcode | CVE 2023-4289 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the following shortcodes in the page/post and view/preview it

[matterport src="test" width='1 " onerror="alert(/XSS1/)']
[matterport src="test" window='"onmouseover=alert(/XSS2/)//'] (and move the mouse over the generated block to trigger the XSS)

Other affected attributes: height, help, hl, qs, brand, lang, hhl, kb, lp, title, tourcta, maxzoom, minzoom, zoomtrans, mpv, filter, minimapfilter, copyright, ga, aa

Affects Plugins

shortcode-gallery-for-matterport-showcase

Fixed in 2.1.8

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4289-wp-matterport-shortcode-2-1-8-contributor-stored-xss-via-shortcode

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

38c337c6-048f-4009-aef8-29c18afa6fdc

Timeline

Publicly Published

2023-09-25 (about 7 months ago)

Added

2023-09-25 (about 7 months ago)

Last Updated

2023-09-26 (about 7 months ago)

Other

Published

Title

Published

2019-05-27

Title

Event Management Tickets Booking By Event Monster <= 1.0.5 - Stored XSS

Published

2021-05-31

Title

The Plus Addons for Elementor < 4.1.12 - Reflected Cross-Site Scripting (XSS)

Published

2017-07-30

Title

WP Live Chat Support < 7.1.05 - Cross-Site Scripting (XSS)

Published

2023-11-28

Title

Crypto Converter Widget < 1.8.4 - Contributor+ Stored XSS

Published

2011-09-27

Title

Zenlite < 4.4 - XSS