Rescue Shortcodes <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description
The Rescue Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=3.3What Changed in the Fix
Changes introduced in v3.4
Source Code
WordPress.org SVN''; if( $margin_bottom ) { $style_attr .= 'margin-bottom: '. $margin_bottom .';'; } ``` If the plugin was intended to be used with `extract($atts)`, then `$margin_bottom` would be the RAW value from the shortcode. If I can bypass the `sanitize_htm…
Show full research plan
'';
if( $margin_bottom ) {
$style_attr .= 'margin-bottom: '. $margin_bottom .';';
}
```
If the plugin was intended to be used with extract($atts), then $margin_bottom would be the RAW value from the shortcode.
If I can bypass the sanitize_html_class by having the value used before it's sanitized.
**Is `extract($atts)` used?**
It's not in the snippet.
Let's try to find another one.
**`[rescue_button]` `title`**.
`title="'. $title .'"`.
Wait, the snippet says:
`$title = sanitize_html_class( $atts['class'] );`
This is so specific and weird. Why would `title` be `atts['class']`?
Maybe because in a previous version it was:
`$title = $atts['title'];`
Let's look at the `rescue_column` shortcode (Line 214):
It's truncated.
`return '<div class="rescue-column rescue-' . esc_attr( $size ) . ' rescue-column-'. esc_attr( $position ) .' '. esc_attr( $class) .' rescue-'. esc_attr( $visibility ) .'">' . do_shortcode($co`
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.