The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description.
Steps to reproduce: 1) As a Contributor, go to portfolio on the dashboard and add new item. 2) on the editing page that comes up, scroll down to the slider section 3) Add the payload in the description area. "<img src=1 onerror=alert('xss')>" 4) save and preview the item and watch the script trigger. 5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered
Fortune Sam Okon
Fortune Sam Okon
Yes
2022-07-18 (about 6 months ago)
2022-07-18 (about 6 months ago)
2022-09-20 (about 4 months ago)