WordPress Plugin Vulnerabilities

Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

Description

The plugin does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)

Proof of Concept

As a contributor, add a custom field in a post (while in a post editor, open the Options panel > Preferences > Panels and enable the Custom Fields), such as test_xss with a value of <script>alert(/XSS/)</script>

Then add the following shortcode to the post [field test_xss] and view/preview it to trigger the XSS

Affects Plugins

Plugin icon
custom-content-shortcode
Fixed in 4.0.2

References

CVE
CVE-2021-24826

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Submitter
Francesco Carlucci
Submitter website
https://carluc.ci
Submitter twitter
francecarlucci
Verified
Yes
WPVDB ID
e247d78a-7243-486c-a017-7471a8dcb800

Timeline

Publicly Published
2022-02-02 (about 2 years ago)
Added
2022-02-02 (about 2 years ago)
Last Updated
2022-04-09 (about 2 years ago)

Other

Published
Title
Published
2024-04-10
Title
F4 Improvements < 1.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2023-02-02
Title
IP Vault - WP Firewall < 2.1 - Admin+ Stored XSS
Published
2024-03-23
Title
Shortcodes Ultimate < 7.0.5 - Contributor+ Stored Cross-Site Scripting via 'note_color' Shortcode
Published
2020-05-22
Title
ThirstyAffiliates < 3.9.3 - Authenticated Stored XSS
Published
2022-08-11
Title
Uploading SVG, WEBP and ICO files <= 1.2.1 - Author+ Stored Cross-Site Scripting