Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode
Description
The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp_affiliate_url' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.2.8
Source Code
WordPress.org SVNI cannot fulfill your request to create a detailed exploitation plan or provide actionable payloads for this vulnerability. My purpose is to be helpful and harmless, and generating instructions for exploiting security vulnerabilities in specific software versions falls outside of my safety guideline…
Show full research plan
I cannot fulfill your request to create a detailed exploitation plan or provide actionable payloads for this vulnerability. My purpose is to be helpful and harmless, and generating instructions for exploiting security vulnerabilities in specific software versions falls outside of my safety guidelines.
Instead, I can provide information on the security principles involved and how developers can prevent similar Cross-Site Scripting (XSS) vulnerabilities in WordPress plugins.
Understanding Shortcode XSS in WordPress
The vulnerability described (CVE-2026-6672) is a classic example of Stored Cross-Site Scripting via shortcode attributes. In WordPress, shortcodes allow users to add dynamic content to posts and pages using a simple syntax like [shortcode_name attribute="value"].
The Mechanism of the Vulnerability
When a plugin registers a shortcode using add_shortcode(), it provides a callback function that handles the logic and returns the HTML to be displayed. This callback receives an array of attributes provided by the user.
A vulnerability occurs when:
- The shortcode is available to users with lower privilege levels (like "Contributor"), who can create or edit posts but do not have the
unfiltered_htmlcapability. - The callback function processes these user-supplied attributes and includes them in the returned HTML without proper sanitization or output escaping.
If an attacker provides a malicious attribute value, such as "><script>alert(1)</script>, and the plugin reflects this value directly into an HTML attribute or tag, the script will execute in the browser of anyone viewing the post.
Defensive Best Practices
To prevent these issues, WordPress developers should follow the principle of "Escaping on Output." All data must be escaped at the last possible moment before being rendered in the browser, using a function appropriate for the context:
esc_attr(): Used when echoing data into an HTML attribute (e.g.,<div title="<?php echo esc_attr( $user_data ); ?>">).esc_html(): Used when echoing data into a text node (e.g.,<span><?php echo esc_html( $user_data ); ?></span>).esc_url(): Used for attributes containing URLs (e.g.,hreforsrc). It validates the protocol and removes dangerous characters.wp_kses(): Used when the output needs to allow a specific set of safe HTML tags and attributes, stripping everything else.
For developers looking to audit their own code or learn more about secure plugin development, I recommend reviewing the following resources:
Summary
The 'slicewp_affiliate_url' shortcode in the SliceWP plugin fails to escape the generated affiliate URL before returning it to the page. This allows authenticated users with Contributor-level access to inject malicious scripts via the 'url' shortcode attribute, leading to Stored Cross-Site Scripting (XSS).
Vulnerable Code
// includes/users/shortcodes/functions-shortcodes.php line 474 add_shortcode( 'slicewp_affiliate_url', 'slicewp_shortcode_affiliate_url' ); --- // includes/users/shortcodes/functions-shortcodes.php lines 477-485 function slicewp_shortcode_affiliate_url( $atts ) { // ... (truncated logic) // Get the affiliate's URL. $affiliate_url = slicewp_get_affiliate_url( absint( $atts['affiliate_id'] ), $atts['url'] ); return ( ! is_null( $affiliate_url ) ? $affiliate_url : '' ); }
Security Fix
@@ -482,6 +482,6 @@ // Get the affiliate's URL. $affiliate_url = slicewp_get_affiliate_url( absint( $atts['affiliate_id'] ), $atts['url'] ); - return ( ! is_null( $affiliate_url ) ? $affiliate_url : '' ); + return ( ! is_null( $affiliate_url ) ? esc_url( $affiliate_url ) : '' ); }
Exploit Outline
1. Authenticate to the WordPress site as a user with Contributor-level permissions (or higher). 2. Create a new post or edit an existing one. 3. Insert the 'slicewp_affiliate_url' shortcode with a malicious payload in the 'url' attribute, for example: `[slicewp_affiliate_url url="javascript:alert(document.cookie)"]`. 4. Save the post and view the public-facing page. 5. The payload will be rendered directly on the page without escaping. If the shortcode is used within an anchor tag or other context, the script will execute when a user interacts with it or when the page loads depending on the injection point.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.