WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Donorbox 7.1~7.1.1 - Stored Cross-Site Scripting via Shortcode

Description

In Donorbox WordPress plugin, one can perform an XSS attack via the included shortcode by inserting arbitrary HTML attributes. 

This vulnerability was introduced in v7.1 and fixed in v7.1.2.

Proof of Concept

[donate url='/\?\" autofocus onfocus=\"alert(window)\" abitraryAttributeToValidateShortcodeParsing=\"']

Affects Plugins

donorbox-donation-form
Fixed in version 7.1.2

References

URL
https://gist.github.com/sybrew/833bf49d81bc8246fba8dabf8a3ba12a

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Sybre Waaijer

Submitter

Sybre Waaijer

Submitter website
https://theseoframework.com/
Submitter twitter
SybreWaaijer
Verified

No

WPVDB ID
8c42ba42-f543-4a59-901a-62e62a491c53

Timeline

Publicly Published

2019-12-31 (about 3 years ago)

Added

2019-12-31 (about 3 years ago)

Last Updated

2020-01-01 (about 3 years ago)

Our Other Services

WPScan WordPress Security Plugin