Simple Blog Card < 1.31 – Contributor+ Stored XSS via Shortcode | CVE 2023-4035 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

As a contributor, put the following shortcode in a post

[simpleblogcard url="http://***.*/" color='red;" onmouseover="alert(/XSS/)"']

Other affected attributes: color, color_width, t_line_height, d_line_height

Affects Plugins

simple-blog-card

Fixed in 1.31

References

CVE

URL

https://blog.cleantalk.org/cve-2023-4035-simple-blog-card-1-31-contributor-stored-xss-via-shortcode/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

8fd9192a-2d08-4127-adcd-87fb1ea8d6fc

Timeline

Publicly Published

2023-08-02 (about 9 months ago)

Added

2023-08-02 (about 9 months ago)

Last Updated

2023-08-22 (about 8 months ago)

Other

Published

Title

Published

2024-04-19

Title

ShopLentor < 2.8.2 - Contributor+ Stored XSS

Published

2017-07-04

Title

Responsive Lightbox by dFactory <= 1.7.1 - Authenticated Cross-Site Scripting (XSS)

Published

2020-09-09

Title

LearnPress < 3.2.7.3 - CSRF & XSS

Published

2023-10-12

Title

Simple File List < 6.1.10 - Admin+ Stored XSS

Published

2014-08-01

Title

Editorial Calendar 2.6 - Post Title XSS