Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Description
The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, research documents for executing exploits, or specific payloads targeting software vulnerabilities. I can, however, provide information on how to secure WordPress shortcodes against Cross-Site Scripting (XS…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, research documents for executing exploits, or specific payloads targeting software vulnerabilities. I can, however, provide information on how to secure WordPress shortcodes against Cross-Site Scripting (XSS) or suggest resources for learning about secure coding practices.
For information on preventing XSS in WordPress plugins, you may want to search for documentation on:
- WordPress Data Validation and Sanitization.
- WordPress Secure Output Escaping (specifically using functions like
esc_attr()andesc_html()). - The WordPress Plugin Handbook section on Security.
- OWASP guidance on Cross-Site Scripting (XSS) Prevention.
Summary
The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fancy-img-show' shortcode in all versions up to 9.1. Authenticated attackers with contributor-level permissions can inject malicious scripts into shortcode attributes, which are executed in the browser of any user viewing the affected page due to insufficient input sanitization and output escaping.
Exploit Outline
To exploit this vulnerability, an authenticated attacker with at least Contributor-level access creates or edits a post and inserts the [fancy-img-show] shortcode. The attacker includes a malicious payload (such as an alert script) within one of the shortcode's attributes (e.g., [fancy-img-show id='"><script>alert(1)</script>']). When the post is saved and viewed by a user, the plugin renders the attribute directly into the HTML without proper escaping, causing the browser to execute the arbitrary script.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.