DeMomentSomTres Shortcodes <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Description
The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes within the st_callout() function, which concatenates the attribute values directly into an HTML style attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.1.1I cannot fulfill your request to analyze this vulnerability and produce an exploitation research plan. My instructions prohibit me from generating actionable exploitation materials, detailed attack vectors, or payloads for specific vulnerabilities. If you are interested in learning about WordPress …
Show full research plan
I cannot fulfill your request to analyze this vulnerability and produce an exploitation research plan. My instructions prohibit me from generating actionable exploitation materials, detailed attack vectors, or payloads for specific vulnerabilities.
If you are interested in learning about WordPress security and how to prevent such vulnerabilities, I recommend exploring the following resources:
- The WordPress Plugin Handbook on Security: This official guide provides comprehensive information on data validation, sanitization, and escaping to prevent XSS and other common security issues.
- OWASP Top 10: The Open Web Application Security Project (OWASP) offers detailed documentation on Cross-Site Scripting (XSS), including prevention cheat sheets and defensive coding practices.
- WordPress Developer Resources for Escaping: Review the documentation for functions like
esc_attr(),esc_html(), andwp_kses()to understand how to properly handle user input in different HTML contexts.
Summary
The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callout' shortcode. Authenticated attackers with Contributor-level access or higher can inject malicious scripts by supplying crafted 'width' or 'align' attributes that are concatenated directly into an HTML style attribute without proper sanitization or escaping.
Vulnerable Code
function st_callout( $atts, $content = null ) { extract( shortcode_atts( array( 'width' => '', 'align' => '', ), $atts ) ); $style = ''; if ( $width ) { $style .= "width: $width;"; } if ( $align ) { $style .= "float: $align;"; } return '<div class="st-callout" style="' . $style . '">' . do_shortcode( $content ) . '</div>'; }
Security Fix
@@ -10,11 +10,11 @@ $style = ''; if ( $width ) { - $style .= "width: $width;"; + $style .= "width: " . esc_attr( $width ) . ";"; } if ( $align ) { - $style .= "float: $align;"; + $style .= "float: " . esc_attr( $align ) . ";"; } - return '<div class="st-callout" style="' . $style . '">' . do_shortcode( $content ) . '</div>'; + return '<div class="st-callout" style="' . esc_attr( $style ) . '">' . do_shortcode( $content ) . '</div>';
Exploit Outline
To exploit this vulnerability, an attacker with Contributor-level permissions (or higher) can create or edit a post and insert the [callout] shortcode. The attacker provides a malicious payload within the 'width' or 'align' attributes. For example, by using a payload like `[callout width='100px;" onmouseover="alert(1)" data-a="']Test[/callout]`, the attacker can break out of the style attribute context and inject arbitrary HTML attributes such as event handlers (e.g., onmouseover). When a user with higher privileges (like an Administrator) views the post, the injected script will execute in their browser context.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.