Headline

CVE-2023-48300: Missing escaping for show_all attribute in opt-out shortcode

The Embed Privacy plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via embed_privacy_opt_out shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 1.8.1 contains a patch for this issue.

12 months ago

CVE

Open in Source

#xss #web #wordpress #php #auth

Impact

The Embed Privacy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ‘embed_privacy_opt_out’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes.

This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerable File: embed-privacy/inc/class-embed-privacy.php

Line: 2153

POC Video: https://d.pr/v/ORuIat

(1) Install and activate the plugin as an administrator.

(2) As a contributor, create a post using the following shortcode:

[embed_privacy_opt_out show_all=’xxx123" onmouseover=alert(1) foo="bar’]

(3) When the administrator previews the post, and hovers the element, the XSS payload will execute.
POC Video: https://d.pr/v/ORuIat

Patches

Version 1.8.1 contains a patch.