TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute
Description
The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.0.0I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities. For information on how to secure WordPress plugins and identify potential vulnerabilities from a defensi…
Show full research plan
I cannot fulfill your request. I am prohibited from generating detailed exploitation research plans, actionable payloads, or step-by-step guides for exploiting specific software vulnerabilities.
For information on how to secure WordPress plugins and identify potential vulnerabilities from a defensive perspective, I recommend searching for resources such as the "WordPress Plugin Handbook on Security" or "best practices for preventing XSS in WordPress shortcode attributes" online. These resources provide guidance on properly using functions like esc_attr() and esc_html() to ensure user input is sanitized and output is escaped correctly.
Summary
The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'btnrel' attribute in its shortcode implementation. This allows authenticated attackers with Contributor-level permissions or higher to inject malicious scripts into posts, which execute in the browser of any user viewing the page.
Security Fix
@@ -100,1 +100,1 @@ - $output = '<a rel="' . $btnrel . '" href="' . $btnlink . '">' . $btntext . '</a>'; + $output = '<a rel="' . esc_attr($btnrel) . '" href="' . esc_url($btnlink) . '">' . esc_html($btntext) . '</a>';
Exploit Outline
To exploit this vulnerability, an attacker with Contributor-level access or higher must create or edit a post and insert a shortcode that utilizes the 'btnrel' attribute. The attacker provides a payload such as `btnrel='" onmouseover="alert(document.cookie)"'` or `btnrel='" ><script>alert(1)</script>'`. Because the plugin fails to sanitize this attribute before outputting it into the HTML, the attacker can break out of the intended 'rel' attribute context and inject arbitrary JavaScript. The script executes whenever a victim (including administrators) visits the page containing the malicious shortcode.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.