The plugin does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
1. Go to settings page available under the "Calculator" menu item. 2. Click the "Select Color" button and type the following payload the input space: </style></head><script>alert(/XSS/)</script> 3. Click the "Save Changes" button to save settings. 4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing. 5. Visit the page to trigger XSS.
Ceylan Bozogullarindan
Ceylan Bozogullarindan
Yes
2022-01-11 (about 1 years ago)
2022-01-11 (about 1 years ago)
2022-04-13 (about 9 months ago)