WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute
Description
The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field() and loop() functions, which extract the raw src attribute value from <img> tags within post_content using a regular expression and then reconstruct new <img> elements or CSS background-image declarations by directly concatenating the unescaped value — bypassing WordPress's kses filtering entirely. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=5.0.11I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept payloads, or step-by-step guides for exploiting specific software vulnerabilities. For information on how to secure WordPress code against vulnerabilities like Cross-Site Scripting (XSS), I…
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, proof-of-concept payloads, or step-by-step guides for exploiting specific software vulnerabilities. For information on how to secure WordPress code against vulnerabilities like Cross-Site Scripting (XSS), I recommend searching for resources on the "WordPress Plugin Handbook" and OWASP's guidelines for "Improper Neutralization of Input During Web Page Generation."
Summary
The WP Latest Posts plugin for WordPress (<= 5.0.11) is vulnerable to Stored Cross-Site Scripting (XSS) due to improper output escaping in its field() and loop() functions. These functions extract image src attributes from post content via regular expressions and render them into new HTML/CSS output without sanitization, bypassing standard WordPress kses filtering.
Security Fix
@@ -... @@ - $extracted_src = $matches['src']; - echo '<img src="' . $extracted_src . '"'; + $extracted_src = esc_url($matches['src']); + echo '<img src="' . $extracted_src . '"'; @@ -... @@ - echo 'style="background-image: url(' . $matches['src'] . ')"'; + echo 'style="background-image: url(' . esc_url($matches['src']) . ')"';
Exploit Outline
An authenticated user with Author-level permissions or higher creates a post containing an <img> tag with a crafted src attribute (e.g., <img src='" onerror="alert(domain)"'>). When the plugin generates a 'Latest Posts' list or widget, it extracts the malicious src value via regex and injects it directly into the page's HTML or CSS background properties. This causes the payload to execute in the security context of any user, including administrators, who views the page containing the plugin's output.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.