Jetpack < 13.2.1 – Contributor+ Stored XSS | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

When the "Let visitors subscribe to new posts and comments via email" settings is enabled (in the Newsletter section), add the below shortcode to a post:

[jetpack_subscription_form title="hola \x3cscript\x3ealert(1)\x3c/script\x3e" show_only_email_and_button="" subscribe_text="\x3cscript\x3ealert(1)\x3c/script\x3e" ]

Affects Plugins

Fixed in 13.2.1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alex Concha

Submitter

Alex Concha

Verified

Yes

WPVDB ID

bfed3099-bd41-4988-a76b-2b9349051879

Timeline

Publicly Published

2024-03-25 (about 1 year ago)

Added

2024-03-25 (about 1 year ago)

Last Updated

2024-03-25 (about 1 year ago)

Other

Published

Title

Published

2024-06-17

Title

Serious Slider < 1.2.5 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2025-01-16

Title

WP-NOTCAPTCHA <= 1.3.1 - Reflected Cross-Site Scripting

Published

2021-10-15

Title

Indeed Job Importer <= 1.0.5 - Admin+ Stored Cross-Site Scripting

Published

2023-12-27

Title

Custom Post Carousels with Owl < 1.4.7 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2024-10-24

Title

Ads.txt & App-ads.txt Manager for WordPress < 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting