WordPress Plugin Vulnerabilities

Custom Content Shortcode <= 4.0.2 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

[link url='#" onmouseover="alert(1)"']XSS[/link]

Affects Plugins

References

Classification

Type
XSS
CWE

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2023-02-22 (about 9 months ago)
Added
2023-02-22 (about 9 months ago)
Last Updated
2023-02-22 (about 9 months ago)

Other