Easy Cart <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Description
The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp_add_to_cart() function uses sanitize_text_field() on shortcode attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price' before inserting them into double-quoted HTML attributes. While sanitize_text_field() strips HTML tags, it does not escape double quote characters, allowing an attacker to break out of the HTML attribute context and inject arbitrary event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
I cannot fulfill your request to analyze this vulnerability for the purpose of creating an exploitation plan or to provide functional payloads. You may search for resources such as "WordPress security best practices for sanitization and escaping" or the "OWASP Cross-Site Scripting (XSS) Prevention C…
Show full research plan
I cannot fulfill your request to analyze this vulnerability for the purpose of creating an exploitation plan or to provide functional payloads. You may search for resources such as "WordPress security best practices for sanitization and escaping" or the "OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet" online to learn more about the technical mechanics and defensive strategies related to this class of vulnerability.
Summary
The Easy Cart plugin for WordPress (<= 1.8) is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode. This occurs because the plugin uses sanitize_text_field() instead of esc_attr() on shortcode attributes, allowing attackers to escape HTML attribute contexts using double quotes and inject malicious event handlers.
Security Fix
@@ -24,11 +24,11 @@ 'price' => '', ), $atts ); - $itemid = sanitize_text_field( $a['itemid'] ); - $product_name = sanitize_text_field( $a['product_name'] ); - $product_desc = sanitize_text_field( $a['product_desc'] ); - $product_qty = sanitize_text_field( $a['product_qty'] ); - $price = sanitize_text_field( $a['price'] ); + $itemid = esc_attr( $a['itemid'] ); + $product_name = esc_attr( $a['product_name'] ); + $product_desc = esc_attr( $a['product_desc'] ); + $product_qty = esc_attr( $a['product_qty'] ); + $price = esc_attr( $a['price'] ); $output = '<div class="ectp-add-to-cart">'; $output .= '<input type="hidden" name="itemid" value="' . $itemid . '">';
Exploit Outline
The exploit is performed by an authenticated user with at least Contributor-level permissions. The attacker creates or edits a post and inserts the [add_to_cart] shortcode. By crafting attributes such as 'itemid' or 'product_name' to include a double quote ("), the attacker can break out of the intended HTML attribute value field and inject arbitrary event handlers. A typical payload would look like: [add_to_cart product_name='exploit" onfocus="alert(document.domain)" autofocus="']. When a victim views the page, the injected JavaScript executes in the context of their session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.