Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting

On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting via Shortcode vulnerabilities in WordPress repository plugins.
We found over 100 vulnerabilities across 100 plugins which affect over 6 million sites.
Developers can use shortcode attributes to optionally add settings, making the content even more dynamic and providing more options for users.
It is important to note that shortcodes are typically used in the post content on WordPress sites, and the post content input is sanitized before being saved to the database, which is a WordPress core functionality, so it is often sanitized in all cases.
Developers might assume that since WordPress core sanitizes post content, the attributes used in shortcodes are also sanitized and secure.
These vulnerabilities occur when the value provided in the shortcode attribute is output in dynamically generated content within the attributes of an HTML element.
The value specified in the shortcode contains only HTML element attributes, which are not sanitized during the save of a post.
An example shortcode containing an HTML tag sanitized by the wp kses post() function: In this case, wp kses post() checks and sanitizes the entire

tag and its attributes.
An example shortcode not sanitized by the wp kses post() function: As there is no HTML tag in this case, the wp kses post() function does not check or sanitize anything.
Developers might reasonably assume that the shortcode attributes are sanitized and secure.
Technical Analysis #1. A general but fictional shortcode will be used to demonstrate a shortcode XSS vulnerability, focusing only on the most important details.
Let's take an example where shortcode attributes are used as HTML attributes.
Let's take a look at an example where the following shortcode is used in the post content: Link Text.
In this case, the class attribute of the shortcode is used and outputted in the class attribute of the HTML tag.
Now, let's take a look at a threat actor that wants to inject malicious web scripts into a post using the plugin's shortcode.
To make the shortcode secure, escape functions must be used.
The above two functions make the shortcode completely secure against Cross-Site Scripting.
Technical Analysis #2. Next, let's look at an example where shortcode attributes are used as JS variable values.
In this blog post, we have detailed Stored Shortcode-Based XSS vulnerabilities within several WordPress repository plugins.
For unpatched plugins that have been closed by the WordPress.org security team, we recommend that WordPress users delete the affected plugin and look for an alternative solution.

This Cyber News was published on www.wordfence.com. Publication date: Tue, 12 Dec 2023 17:43:04 +0000