Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting

On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using plugin shortcodes, which will execute whenever a victim accesses the injected page. We found over 100 vulnerabilities across 100 plugins which affect over 6 million sites. You can find the complete chart of affected plugins below.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected by the Wordfence firewall’s built-in Cross-Site Scripting protection against any exploits targeting this type of vulnerability.

Why are these vulnerabilities so common?

By a general definition, shortcodes are unique macro codes added by plugin developers to dynamically and automatically generate content. Developers can use shortcode attributes to optionally add settings, making the content even more dynamic and providing more options for users.

It is important to note that shortcodes are typically used in the post content on WordPress sites, and the post content input is sanitized before being saved to the database, which is a WordPress core functionality, so it is often sanitized in all cases.

Developers might assume that since WordPress core sanitizes post content, the attributes used in shortcodes are also sanitized and secure. However, the wp_kses_post() sanitization function only sanitizes complete HTML elements.

These vulnerabilities occur when the value provided in the shortcode attribute is output in dynamically generated content within the attributes of an HTML element. In such cases, the value specified in the shortcode contains only HTML element attributes, which are not sanitized during the save of a post. As mentioned earlier, the sanitize function only sanitizes complete HTML tags.

An example shortcode containing an HTML tag sanitized by the wp_kses_post() function:
[custom_link class=”<p onmouseover=’alert(/XSS/)’>Click Here!</p>”]
In this case, wp_kses_post() checks and sanitizes the entire <p> tag and its attributes.

An example shortcode not sanitized by the wp_kses_post() function:
[cutsom_link class=”‘ onmouseover=’alert(/XSS/)'”]
As there is no HTML tag in this case, the wp_kses_post() function does not check or sanitize anything.

Note: The above explanation demonstrates the usage of cross-site scripting within HTML attributes as it is the most common scenario, but the same problem applies to JS variable values, which will be equally vulnerable if not properly escaped.

Even the WordPress security handbook says the following about escaping output:

“Most WordPress functions properly prepare the data for output, and additional escaping is not needed.”

https://developer.wordpress.org/apis/security/escaping/

After reading this, developers might reasonably assume that the shortcode attributes are sanitized and secure. However, as demonstrated in the above example, there are exceptions.

Vulnerability Summary from Wordfence Intelligence

Plugin Name
Plugin Slug
CVE
Affected Versions
Patched Version

VK Filter Search
vk-filter-search
CVE-2023-5705

2.3.2

Telephone Number Linker
telephone-number-linker
CVE-2023-5743

Tab Ultimate
tabs-pro
CVE-2023-5667

1.4

Ibtana – WordPress Website Builder
ibtana-visual-editor
CVE-2023-6684

1.2.2.1

Featured Image Caption
featured-image-caption
CVE-2023-5669

0.8.11

Reusable Text Blocks
reusable-text-blocks
CVE-2023-5745

Font Awesome More Icons
font-awesome-more-icons
CVE-2023-5232

Podcast Subscribe Buttons
podcast-subscribe-buttons
CVE-2023-5308

1.4.9

Slick Contact Forms
slick-contact-forms
CVE-2023-5468

LiteSpeed Cache
litespeed-cache
CVE-2023-4372

5.7

Theme Switcha – Easily Switch Themes for Development and Testing
theme-switcha
CVE-2023-5614

3.3.1

WordPress Charts
wp-charts
CVE-2023-5062

EasyRotator for WordPress – Slider Plugin
easyrotator-for-wordpress
CVE-2023-5742

Leaflet Map
leaflet-map
CVE-2023-5050

3.3.1

Bitly’s WordPress Plugin
wp-bitly
CVE-2023-5577

flowpaper
flowpaper-lite-pdf-flipbook
CVE-2023-5200

2.0.4

SEO Slider
seo-slider
CVE-2023-5707

1.1.1

CallRail Phone Call Tracking
callrail-phone-call-tracking
CVE-2023-5051

0.5.3

iframe
iframe
CVE-2023-4919

4.7

Feeds for YouTube (YouTube video, channel, and gallery plugin)
feeds-for-youtube
CVE-2023-4841

2.1.2

Instagram for WordPress
instagram-for-wordpress
CVE-2023-5357

Awesome Weather Widget
awesome-weather
CVE-2023-4944

FareHarbor for WordPress
fareharbor
CVE-2023-5252

3.6.8

Shortcode Menu
shortcode-menu
CVE-2023-5565

Modal Window – create popup modal window
modal-window
CVE-2023-5161

5.3.6

Sponsors
wp-sponsors
CVE-2023-5662

Gift Up Gift Cards for WordPress and WooCommerce
gift-up
CVE-2023-5703

2.20.2

Bellows Accordion Menu
bellows-accordion-menu
CVE-2023-5164

1.4.3

TCD Google Maps
tcd-google-maps
CVE-2023-5128

Super Testimonials
super-testimonial
CVE-2023-5613

3.0

SlimStat Analytics
wp-slimstat
CVE-2023-4597

5.0.10

WP Font Awesome
wp-font-awesome
CVE-2023-5127

Advanced Menu Widget
advanced-menu-widget
CVE-2023-5085

Comments by Startbit
facebook-comment-by-vivacity
CVE-2023-5295

BSK PDF Manager
bsk-pdf-manager
CVE-2023-5110

3.4.2

Video PopUp
video-popup
CVE-2023-4962

1.1.4

Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages
wplegalpages
CVE-2023-4968

2.9.3

WP Responsive header image slider
responsive-header-image-slider
CVE-2023-5334

Interact: Embed A Quiz On Your Site
interact-quiz-embed
CVE-2023-5659

3.1

WDContactFormBuilder
contact-form-builder
CVE-2023-5048

Widget Responsive for Youtube
youtube-widget-responsive
CVE-2023-5063

1.6.2

TM WooCommerce Compare & Wishlist
tm-woocommerce-compare-wishlist
CVE-2023-5230

Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin
poptin
CVE-2023-4961

1.3.1

WhatsApp Share Button
whatsapp
CVE-2023-5668

Delete Me
delete-me
CVE-2023-5126

3.1

WP MapIt
wp-mapit
CVE-2023-5658

iframe forms
iframe-forms
CVE-2023-5073

Newsletter – Send awesome emails from WordPress
newsletter
CVE-2023-4772

7.9.0

Theme Blvd Shortcodes
theme-blvd-shortcodes
CVE-2023-5338

Social Feed | All social media in one place
add-facebook
CVE-2023-5661

WS Facebook Like Box Widget
ws-facebook-likebox
CVE-2023-4963

Garden Gnome Package
garden-gnome-package
CVE-2023-5664

2.2.9

Social Sharing Plugin – Social Warfare
social-warfare
CVE-2023-4842

4.4.4

Skype Legacy Buttons
skype-online-status
CVE-2023-5615

Simple Cloudflare Turnstile – CAPTCHA Alternative
simple-cloudflare-turnstile
CVE-2023-5135

1.23.2

Booster for WooCommerce
woocommerce-jetpack
CVE-2023-4945

7.1.1

Simple Shortcodes
smpl-shortcodes
CVE-2023-5566

Font Awesome Integration
font-awesome-integration
CVE-2023-5233

Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
rafflepress
CVE-2023-5049

1.12.2

ImageMapper
imagemapper
CVE-2023-5507

Accordion
accordions-wp
CVE-2023-5666

2.7

GEO my WordPress
geo-my-wp
CVE-2023-5467

4.0.1

Related Products for WooCommerce
woo-related-products-refresh-on-reload
CVE-2023-5234

3.3.16

Live Chat with Facebook Messenger
wp-facebook-messenger
CVE-2023-5740

Contact form Form For All – Easy to use, fast, 37 languages.
formforall
CVE-2023-5337

JQuery Accordion Menu Widget
jquery-vertical-accordion-menu
CVE-2023-4890

Blog Filter – Advanced Post Filtering with Categories Or Tags, Post Portfolio Gallery, Blog Design Template, Post Layout
blog-filter
CVE-2023-5291

1.5.4

WordPress Social Login
wordpress-social-login
CVE-2023-4773

QR Code Tag
qr-code-tag
CVE-2023-5567

Buzzsprout Podcasting
buzzsprout-podcasting
CVE-2023-5335

1.8.5

Drop Shadow Boxes
drop-shadow-boxes
CVE-2023-5469

1.7.14

Carousel, Recent Post Slider and Banner Slider
spice-post-slider
CVE-2023-5362

2.1

Weather Atlas Widget
weather-atlas
CVE-2023-5163

2.0.0

Contact Form – Custom Builder, Payment Form, and More
powr-pack
CVE-2023-5741

MapPress Maps for WordPress
mappress-google-maps-for-wordpress
CVE-2023-4840

2.88.5

Media Library Assistant
media-library-assistant
CVE-2023-4716

3.11

Google Maps Plugin by Intergeo
intergeo-maps
CVE-2023-4887

SendPress Newsletters
sendpress
CVE-2023-5660

1.23.11.6

Magic Action Box
magic-action-box
CVE-2023-5231

Embed Calendly
embed-calendly-scheduling
CVE-2023-4995

3.7

Team Showcase
team-showcase
CVE-2023-5639

2.2

Horizontal scrolling announcement
horizontal-scrolling-announcement
CVE-2023-5001

WP Post Columns
wp-post-columns
CVE-2023-5708

Font Awesome 4 Menus
font-awesome-4-menus
CVE-2023-4718

Advanced Custom Fields: Extended
acf-extended
CVE-2023-5292

0.8.9.4

Options for Twenty Seventeen
options-for-twenty-seventeen
CVE-2023-5162

2.5.1

Etsy Shop
etsy-shop
CVE-2023-5470

3.0.5

Copy Anything to Clipboard
copy-the-code
CVE-2023-5086

2.6.5

Email Encoder – Protect Email Addresses and Phone Numbers
email-encoder-bundle
CVE-2023-4599

2.1.9

Advanced iFrame
advanced-iframe
CVE-2023-4775

2023.9

WP Mailto Links – Protect Email Addresses
wp-mailto-links
CVE-2023-5109

3.1.4

Booster for WooCommerce
woocommerce-jetpack
CVE-2023-5638

7.1.3

Ziteboard Online Whiteboard
ziteboard-online-whiteboard
CVE-2023-5076

3.0.0

Simple Like Page Plugin
simple-facebook-plugin
CVE-2023-4888

1.5.2

CPO Shortcodes
cpo-shortcodes
CVE-2023-5704

WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
wc-multivendor-marketplace
CVE-2023-4960

3.6.3

Connect Matomo (WP-Matomo, WP-Piwik)
wp-piwik
CVE-2023-4774

1.0.29

Very Simple Google Maps
very-simple-google-maps
CVE-2023-5744

2.9.1

Contact Form by FormGet – Best Form Builder Plugin for WordPress
formget-contact-form
CVE-2023-5125

Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
shareaholic
CVE-2023-4889

9.7.9

Security recommendations for developers

We recommend using one of the built-in WordPress escaping functions before outputting user data. WordPress has a number of functions that can be used for different situations. You can read more about these functions at: https://developer.wordpress.org/apis/security/escaping/

Technical Analysis #1

A general but fictional shortcode will be used to demonstrate a shortcode XSS vulnerability, focusing only on the most important details.

Let’s take an example where shortcode attributes are used as HTML attributes.

The vulnerable shortcode function:

function custom_link_shortcode( $atts, $content ) {
$atts = shortcode_atts( array(
‘class’ => ‘custom-link’, // default class value
‘href’ => ‘#’, // default href value
), $atts );

$output = ‘<a class=”‘ . $atts[‘class’] . ‘” href=”‘ . $atts[‘href’] . ‘”>’ . $content . ‘</a>’;

return $output;
}

add_shortcode( ‘custom_link’, ‘custom_link_shortcode’ );

Let’s take a look at an example where the following shortcode is used in the post content:
[custom_link class=’my-custom-class’]Link Text[/custom_link]

As a result, the following link will be displayed in the post:

<a class=”my-custom-class” href=”#”>Link Text</a>

In this case, the class attribute of the shortcode is used and outputted in the class attribute of the <a> HTML tag.

The Exploit

Now, let’s take a look at a threat actor that wants to inject malicious web scripts into a post using the plugin’s shortcode. To accomplish this, the attacker needs to leave the specified HTML attribute, which in the example is the “class” attribute and add an additional malicious HTML attribute after.

Here’s an exploit example:
[custom_link class='” onmouseover=”alert(/XSS/)’]Link Text[/custom_link]

With the payload above, the following link will be displayed in the post:

<a class=”” onmouseover=”alert(/XSS/)” href=”#”>Link Text</a>

The first double quotation mark provided in the shortcode’s “class” attribute closes the “class” HTML attribute within the <a> tag. After that the “onmouseover” HTML attribute containing a malicious script is added to the <a> tag. This means that whenever a user mouses over the rendered shortcode, a prompt with “XSS” would appear on the screen.

The Solution

To make the shortcode secure, escape functions must be used. This prevents user-defined input from leaving the original “class” HTML attribute as any quotes used to leave the HTML attribute will be escaped.

Let’s make the example shortcode code secure:

function custom_link_shortcode( $atts, $content ) {
$atts = shortcode_atts( array(
‘class’ => ‘custom-link’, // default class value
‘href’ => ‘#’, // default href value
), $atts );

$output = ‘<a class=”‘ . esc_attr( $atts[‘class’] ) . ‘” href=”‘ . esc_url( $atts[‘href’] ) . ‘”>’ . $content . ‘</a>’;

return $output;
}

add_shortcode( ‘custom_link’, ‘custom_link_shortcode’ );

The “class” data is an attribute, so it is recommended to use the esc_attr() function there.
The “href” data is a url, which is an attribute that has more specific requirements, so it is recommended to use the esc_url() function there.

The above two functions make the shortcode completely secure against Cross-Site Scripting.

If the attacker tries to add a malicious shortcode using the patched functionality, it will result in the following link, which no longer contains executable JavaScript:

<a class=”&quot; onmouseover=&quot;alert(/XSS/)” href=”#”>Link Text</a>

Technical Analysis #2

Next, let’s look at an example where shortcode attributes are used as JS variable values.

The vulnerable shortcode function assigns shortcode attributes to JS variables:

function custom_js_color_variable_shortcode( $atts ) {
$atts = shortcode_atts( array(
‘color’ => ‘red’, // default color value
), $atts );

$output = ‘<script>’ . ‘let color=”‘ . $atts[‘color’] . ‘”;’ . ‘</script>’;

return $output;
}

add_shortcode( ‘custom_js_color_variable’, ‘custom_js_color_variable_shortcode’ );

Here’s an example where the following shortcode is used in the post content:
[custom_js_color_variable color=’blue’]

As a result, the following script with a variable setting for “color” will be displayed in the post:

<script>let color=”blue”;</script>

The Exploit

Now, we’ll try to exploit the shortcode:
[custom_js_color_variable color='”; alert(/XSS/); let more=”‘]

As a result, the following script will be displayed in the post:

<script>let color=””; alert(/XSS/); let more=””;</script>

The Solution

Let’s make the example shortcode code secure:

function custom_js_color_variable_shortcode( $atts ) {
$atts = shortcode_atts( array(
‘color’ => ‘red’, // default color value
), $atts );

$output = ‘<script>’ . ‘let color=”‘ . esc_js( $atts[‘color’] ) . ‘”;’ . ‘</script>’;

return $output;
}

add_shortcode( ‘custom_js_color_variable’, ‘custom_js_color_variable_shortcode’ );

The “color” data is a JS variable, so it is recommended to use the esc_js() function.

The following script will be displayed in the post if the attacker tries using the same malicious shortcode:

<script>let color=”&quot;; alert(/XSS/); let more=&quot;”;</script>

Conclusion

In this blog post, we have detailed Stored Shortcode-Based XSS vulnerabilities within several WordPress repository plugins. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. As with all XSS vulnerabilities, a malicious payload could be used to perform actions as an administrator, including adding new malicious administrator users to the site and embedding backdoors in plugin and theme files, as well as redirecting users to malicious sites.

We encourage WordPress users to verify that their sites are updated to the latest patched version of each impacted plugin. For unpatched plugins that have been closed by the WordPress.org security team, we recommend that WordPress users delete the affected plugin and look for an alternative solution.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this type of vulnerability.

If you know someone who uses any of these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this type of vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

The post Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting appeared first on Wordfence.

Posted in

About Us

I believe that everyone should have a mechanic that they can trust and after spending several years helping out various customers for large companies I've seen my fair share of issues.

Honesty, Integrity, and Compassion are what we share with everyone that we work with. Stop scouring the internet for help and see how we can help you today.

Our Services

Website Migrations

Plugin & Theme Updates

IDX Broker Customizations

Facebook Chatbots

DNS & Email Integrations

logo

E-mail: contact@thewpmechanic.com