Stagtools < 2.3.7 – Contributor+ Stored XSS | CVE 2023-0891 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Create a Post and add a Shortcode.
2. Paste the stagcode in the input:

```
[stag_icon icon="link" url="https://example.com/" size='100px' new_window="no" style='test-style4 fa-link" onmouseover="alert(document.domain)" x="']
```

3. Save the post. Preview it. Hover your mouse over the icon.

Affects Plugins

Fixed in 2.3.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

xplo1t

Submitter

xplo1t

Submitter twitter

Verified

Yes

WPVDB ID

72397fee-9768-462b-933c-400181a5487c

Timeline

Publicly Published

2023-04-05 (about 2 years ago)

Added

2023-04-05 (about 2 years ago)

Last Updated

2023-04-05 (about 2 years ago)

Other

Published

Title

Published

2025-05-19

Title

WP Image Mask < 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-11-07

Title

Countdown and CountUp, WooCommerce Sales Timer < 1.8.3 - Admin+ Stored XSS

Published

2023-04-18

Title

Kaya QR Code Generator < 1.5.3 - Contributor+ Stored XSS

Published

2023-02-06

Title

Arigato Autoresponder and Newsletter < 2.7.1.1 - Unauthenticated Stored XSS

Published

2025-02-28

Title

SKU Generator for WooCommerce < 1.6.3 - Reflected Cross-Site Scripting