The Wordfence security team disclosed a vulnerability to us. The security team found out that the Arconix Shortcodes plugin is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to and including 2.1.12 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Steps to reproduce
Install and activate the Arconix Shortcodes plugin.
Sign in as a contributor in a new session/different browser, create a new post, and paste the shortcode below before saving it:
Access the preview and move your mouse over the page. The alert(1) should trigger.
Impact
The vulnerability could be escalated to trick an admin into executing an undesired request in the context of the current session, as well as other permission-dependent actions.
The Wordfence security team disclosed a vulnerability to us. The security team found out that the Arconix Shortcodes plugin is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to and including 2.1.12 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Steps to reproduce
[button icon="' style='width:10000px;height:10000px;max-height:10000px;max-width:100000px;position:absolute;left:0px;top:0px;z-index:1000000;background:rgba(0,0,0,0.5);opacity:0' onmouseover='alert(1)'"]
alert(1)should trigger.Impact The vulnerability could be escalated to trick an admin into executing an undesired request in the context of the current session, as well as other permission-dependent actions.
Recommended Solution We recommend using one of the built-in WordPress sanitization and/or escaping functions before saving user input data to the database and when displaying it on output. You can read more about the sanitization and escaping functions that WordPress has available at: https://developer.wordpress.org/apis/security/sanitizing/ & https://developer.wordpress.org/apis/security/escaping/.
Additional field Vulnerability Title: Arconix Shortcodes <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE ID: CVE-2024-9703 CVSS Severity Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Organization: Wordfence Vulnerability Researcher(s): Peter Thaleikis Software Link(s): https://wordpress.org/plugins/arconix-shortcodes
Ticket link: https://support.tychesoftwares.com/conversation/4955