WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

Description

The plugin does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)

Proof of Concept

As a contributor, add a custom field in a post (while in a post editor, open the Options panel > Preferences > Panels and enable the Custom Fields), such as test_xss with a value of <script>alert(/XSS/)</script>

Then add the following shortcode to the post [field test_xss] and view/preview it to trigger the XSS

Affects Plugins

custom-content-shortcode
Fixed in version 4.0.2

References

CVE
CVE-2021-24826

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Francesco Carlucci

Submitter

Francesco Carlucci

Submitter website
https://carluc.ci
Submitter twitter
francecarlucci
Verified

Yes

WPVDB ID
e247d78a-7243-486c-a017-7471a8dcb800

Timeline

Publicly Published

2022-02-02 (about 7 months ago)

Added

2022-02-02 (about 7 months ago)

Last Updated

2022-04-09 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin