On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using plugin shortcodes, which will execute whenever a victim accesses the injected page. We found over 100 vulnerabilities across 100 plugins which affect over 6 million sites. You can find the complete chart of affected plugins below.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected by the Wordfence firewall’s built-in Cross-Site Scripting protection against any exploits targeting this type of vulnerability.
Why are these vulnerabilities so common?
By a general definition, shortcodes are unique macro codes added by plugin developers to dynamically and automatically generate content. Developers can use shortcode attributes to optionally add settings, making the content even more dynamic and providing more options for users.
It is important to note that shortcodes are typically used in the post content on WordPress sites, and the post content input is sanitized before being saved to the database, which is a WordPress core functionality, so it is often sanitized in all cases.
Developers might assume that since WordPress core sanitizes post content, the attributes used in shortcodes are also sanitized and secure. However, the wp_kses_post() sanitization function only sanitizes complete HTML elements.
These vulnerabilities occur when the value provided in the shortcode attribute is output in dynamically generated content within the attributes of an HTML element. In such cases, the value specified in the shortcode contains only HTML element attributes, which are not sanitized during the save of a post. As mentioned earlier, the sanitize function only sanitizes complete HTML tags.
An example shortcode containing an HTML tag sanitized by the wp_kses_post() function:
[custom_link class=”<p onmouseover=’alert(/XSS/)’>Click Here!</p>”]
In this case, wp_kses_post() checks and sanitizes the entire <p> tag and its attributes.
An example shortcode not sanitized by the wp_kses_post() function:
[cutsom_link class=”‘ onmouseover=’alert(/XSS/)'”]
As there is no HTML tag in this case, the wp_kses_post() function does not check or sanitize anything.
Note: The above explanation demonstrates the usage of cross-site scripting within HTML attributes as it is the most common scenario, but the same problem applies to JS variable values, which will be equally vulnerable if not properly escaped.
Even the WordPress security handbook says the following about escaping output:
“Most WordPress functions properly prepare the data for output, and additional escaping is not needed.”
https://developer.wordpress.org/apis/security/escaping/
After reading this, developers might reasonably assume that the shortcode attributes are sanitized and secure. However, as demonstrated in the above example, there are exceptions.
Vulnerability Summary from Wordfence Intelligence
Plugin Name
Plugin Slug
CVE
Affected Versions
Patched Version
VK Filter Search
vk-filter-search
CVE-2023-5705
2.3.2
Telephone Number Linker
telephone-number-linker
CVE-2023-5743
Tab Ultimate
tabs-pro
CVE-2023-5667
1.4
Ibtana – WordPress Website Builder
ibtana-visual-editor
CVE-2023-6684
1.2.2.1
Featured Image Caption
featured-image-caption
CVE-2023-5669
0.8.11
Reusable Text Blocks
reusable-text-blocks
CVE-2023-5745
Font Awesome More Icons
font-awesome-more-icons
CVE-2023-5232
Podcast Subscribe Buttons
podcast-subscribe-buttons
CVE-2023-5308
1.4.9
Slick Contact Forms
slick-contact-forms
CVE-2023-5468
LiteSpeed Cache
litespeed-cache
CVE-2023-4372
5.7
Theme Switcha – Easily Switch Themes for Development and Testing
theme-switcha
CVE-2023-5614
3.3.1
WordPress Charts
wp-charts
CVE-2023-5062
EasyRotator for WordPress – Slider Plugin
easyrotator-for-wordpress
CVE-2023-5742
Leaflet Map
leaflet-map
CVE-2023-5050
3.3.1
Bitly’s WordPress Plugin
wp-bitly
CVE-2023-5577
flowpaper
flowpaper-lite-pdf-flipbook
CVE-2023-5200
2.0.4
SEO Slider
seo-slider
CVE-2023-5707
1.1.1
CallRail Phone Call Tracking
callrail-phone-call-tracking
CVE-2023-5051
0.5.3
iframe
iframe
CVE-2023-4919
4.7
Feeds for YouTube (YouTube video, channel, and gallery plugin)
feeds-for-youtube
CVE-2023-4841
2.1.2
Instagram for WordPress
instagram-for-wordpress
CVE-2023-5357
Awesome Weather Widget
awesome-weather
CVE-2023-4944
FareHarbor for WordPress
fareharbor
CVE-2023-5252
3.6.8
Shortcode Menu
shortcode-menu
CVE-2023-5565
Modal Window – create popup modal window
modal-window
CVE-2023-5161
5.3.6
Sponsors
wp-sponsors
CVE-2023-5662
Gift Up Gift Cards for WordPress and WooCommerce
gift-up
CVE-2023-5703
2.20.2
Bellows Accordion Menu
bellows-accordion-menu
CVE-2023-5164
1.4.3
TCD Google Maps
tcd-google-maps
CVE-2023-5128
Super Testimonials
super-testimonial
CVE-2023-5613
3.0
SlimStat Analytics
wp-slimstat
CVE-2023-4597
5.0.10
WP Font Awesome
wp-font-awesome
CVE-2023-5127
Advanced Menu Widget
advanced-menu-widget
CVE-2023-5085
Comments by Startbit
facebook-comment-by-vivacity
CVE-2023-5295
BSK PDF Manager
bsk-pdf-manager
CVE-2023-5110
3.4.2
Video PopUp
video-popup
CVE-2023-4962
1.1.4
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages
wplegalpages
CVE-2023-4968
2.9.3
WP Responsive header image slider
responsive-header-image-slider
CVE-2023-5334
Interact: Embed A Quiz On Your Site
interact-quiz-embed
CVE-2023-5659
3.1
WDContactFormBuilder
contact-form-builder
CVE-2023-5048
Widget Responsive for Youtube
youtube-widget-responsive
CVE-2023-5063
1.6.2
TM WooCommerce Compare & Wishlist
tm-woocommerce-compare-wishlist
CVE-2023-5230
Pop ups, WordPress Exit Intent Popup, Email Pop Up, Lightbox Pop Up, Spin the Wheel, Contact Form Builder – Poptin
poptin
CVE-2023-4961
1.3.1
WhatsApp Share Button
whatsapp
CVE-2023-5668
Delete Me
delete-me
CVE-2023-5126
3.1
WP MapIt
wp-mapit
CVE-2023-5658
iframe forms
iframe-forms
CVE-2023-5073
Newsletter – Send awesome emails from WordPress
newsletter
CVE-2023-4772
7.9.0
Theme Blvd Shortcodes
theme-blvd-shortcodes
CVE-2023-5338
Social Feed | All social media in one place
add-facebook
CVE-2023-5661
WS Facebook Like Box Widget
ws-facebook-likebox
CVE-2023-4963
Garden Gnome Package
garden-gnome-package
CVE-2023-5664
2.2.9
Social Sharing Plugin – Social Warfare
social-warfare
CVE-2023-4842
4.4.4
Skype Legacy Buttons
skype-online-status
CVE-2023-5615
Simple Cloudflare Turnstile – CAPTCHA Alternative
simple-cloudflare-turnstile
CVE-2023-5135
1.23.2
Booster for WooCommerce
woocommerce-jetpack
CVE-2023-4945
7.1.1
Simple Shortcodes
smpl-shortcodes
CVE-2023-5566
Font Awesome Integration
font-awesome-integration
CVE-2023-5233
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers
rafflepress
CVE-2023-5049
1.12.2
ImageMapper
imagemapper
CVE-2023-5507
Accordion
accordions-wp
CVE-2023-5666
2.7
GEO my WordPress
geo-my-wp
CVE-2023-5467
4.0.1
Related Products for WooCommerce
woo-related-products-refresh-on-reload
CVE-2023-5234
3.3.16
Live Chat with Facebook Messenger
wp-facebook-messenger
CVE-2023-5740
Contact form Form For All – Easy to use, fast, 37 languages.
formforall
CVE-2023-5337
JQuery Accordion Menu Widget
jquery-vertical-accordion-menu
CVE-2023-4890
Blog Filter – Advanced Post Filtering with Categories Or Tags, Post Portfolio Gallery, Blog Design Template, Post Layout
blog-filter
CVE-2023-5291
1.5.4
WordPress Social Login
wordpress-social-login
CVE-2023-4773
QR Code Tag
qr-code-tag
CVE-2023-5567
Buzzsprout Podcasting
buzzsprout-podcasting
CVE-2023-5335
1.8.5
Drop Shadow Boxes
drop-shadow-boxes
CVE-2023-5469
1.7.14
Carousel, Recent Post Slider and Banner Slider
spice-post-slider
CVE-2023-5362
2.1
Weather Atlas Widget
weather-atlas
CVE-2023-5163
2.0.0
Contact Form – Custom Builder, Payment Form, and More
powr-pack
CVE-2023-5741
MapPress Maps for WordPress
mappress-google-maps-for-wordpress
CVE-2023-4840
2.88.5
Media Library Assistant
media-library-assistant
CVE-2023-4716
3.11
Google Maps Plugin by Intergeo
intergeo-maps
CVE-2023-4887
SendPress Newsletters
sendpress
CVE-2023-5660
1.23.11.6
Magic Action Box
magic-action-box
CVE-2023-5231
Embed Calendly
embed-calendly-scheduling
CVE-2023-4995
3.7
Team Showcase
team-showcase
CVE-2023-5639
2.2
Horizontal scrolling announcement
horizontal-scrolling-announcement
CVE-2023-5001
WP Post Columns
wp-post-columns
CVE-2023-5708
Font Awesome 4 Menus
font-awesome-4-menus
CVE-2023-4718
Advanced Custom Fields: Extended
acf-extended
CVE-2023-5292
0.8.9.4
Options for Twenty Seventeen
options-for-twenty-seventeen
CVE-2023-5162
2.5.1
Etsy Shop
etsy-shop
CVE-2023-5470
3.0.5
Copy Anything to Clipboard
copy-the-code
CVE-2023-5086
2.6.5
Email Encoder – Protect Email Addresses and Phone Numbers
email-encoder-bundle
CVE-2023-4599
2.1.9
Advanced iFrame
advanced-iframe
CVE-2023-4775
2023.9
WP Mailto Links – Protect Email Addresses
wp-mailto-links
CVE-2023-5109
3.1.4
Booster for WooCommerce
woocommerce-jetpack
CVE-2023-5638
7.1.3
Ziteboard Online Whiteboard
ziteboard-online-whiteboard
CVE-2023-5076
3.0.0
Simple Like Page Plugin
simple-facebook-plugin
CVE-2023-4888
1.5.2
CPO Shortcodes
cpo-shortcodes
CVE-2023-5704
WCFM Marketplace – Best Multivendor Marketplace for WooCommerce
wc-multivendor-marketplace
CVE-2023-4960
3.6.3
Connect Matomo (WP-Matomo, WP-Piwik)
wp-piwik
CVE-2023-4774
1.0.29
Very Simple Google Maps
very-simple-google-maps
CVE-2023-5744
2.9.1
Contact Form by FormGet – Best Form Builder Plugin for WordPress
formget-contact-form
CVE-2023-5125
Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic
shareaholic
CVE-2023-4889
9.7.9
Security recommendations for developers
We recommend using one of the built-in WordPress escaping functions before outputting user data. WordPress has a number of functions that can be used for different situations. You can read more about these functions at: https://developer.wordpress.org/apis/security/escaping/
Technical Analysis #1
A general but fictional shortcode will be used to demonstrate a shortcode XSS vulnerability, focusing only on the most important details.
Let’s take an example where shortcode attributes are used as HTML attributes.
The vulnerable shortcode function:
function custom_link_shortcode( $atts, $content ) {
$atts = shortcode_atts( array(
‘class’ => ‘custom-link’, // default class value
‘href’ => ‘#’, // default href value
), $atts );
$output = ‘<a class=”‘ . $atts[‘class’] . ‘” href=”‘ . $atts[‘href’] . ‘”>’ . $content . ‘</a>’;
return $output;
}
add_shortcode( ‘custom_link’, ‘custom_link_shortcode’ );
Let’s take a look at an example where the following shortcode is used in the post content:
[custom_link class=’my-custom-class’]Link Text[/custom_link]
As a result, the following link will be displayed in the post:
<a class=”my-custom-class” href=”#”>Link Text</a>
In this case, the class attribute of the shortcode is used and outputted in the class attribute of the <a> HTML tag.
The Exploit
Now, let’s take a look at a threat actor that wants to inject malicious web scripts into a post using the plugin’s shortcode. To accomplish this, the attacker needs to leave the specified HTML attribute, which in the example is the “class” attribute and add an additional malicious HTML attribute after.
Here’s an exploit example:
[custom_link class='” onmouseover=”alert(/XSS/)’]Link Text[/custom_link]
With the payload above, the following link will be displayed in the post:
<a class=”” onmouseover=”alert(/XSS/)” href=”#”>Link Text</a>
The first double quotation mark provided in the shortcode’s “class” attribute closes the “class” HTML attribute within the <a> tag. After that the “onmouseover” HTML attribute containing a malicious script is added to the <a> tag. This means that whenever a user mouses over the rendered shortcode, a prompt with “XSS” would appear on the screen.
The Solution
To make the shortcode secure, escape functions must be used. This prevents user-defined input from leaving the original “class” HTML attribute as any quotes used to leave the HTML attribute will be escaped.
Let’s make the example shortcode code secure:
function custom_link_shortcode( $atts, $content ) {
$atts = shortcode_atts( array(
‘class’ => ‘custom-link’, // default class value
‘href’ => ‘#’, // default href value
), $atts );
$output = ‘<a class=”‘ . esc_attr( $atts[‘class’] ) . ‘” href=”‘ . esc_url( $atts[‘href’] ) . ‘”>’ . $content . ‘</a>’;
return $output;
}
add_shortcode( ‘custom_link’, ‘custom_link_shortcode’ );
The “class” data is an attribute, so it is recommended to use the esc_attr() function there.
The “href” data is a url, which is an attribute that has more specific requirements, so it is recommended to use the esc_url() function there.
The above two functions make the shortcode completely secure against Cross-Site Scripting.
If the attacker tries to add a malicious shortcode using the patched functionality, it will result in the following link, which no longer contains executable JavaScript:
<a class=”" onmouseover="alert(/XSS/)” href=”#”>Link Text</a>
Technical Analysis #2
Next, let’s look at an example where shortcode attributes are used as JS variable values.
The vulnerable shortcode function assigns shortcode attributes to JS variables:
function custom_js_color_variable_shortcode( $atts ) {
$atts = shortcode_atts( array(
‘color’ => ‘red’, // default color value
), $atts );
$output = ‘<script>’ . ‘let color=”‘ . $atts[‘color’] . ‘”;’ . ‘</script>’;
return $output;
}
add_shortcode( ‘custom_js_color_variable’, ‘custom_js_color_variable_shortcode’ );
Here’s an example where the following shortcode is used in the post content:
[custom_js_color_variable color=’blue’]
As a result, the following script with a variable setting for “color” will be displayed in the post:
<script>let color=”blue”;</script>
The Exploit
Now, we’ll try to exploit the shortcode:
[custom_js_color_variable color='”; alert(/XSS/); let more=”‘]
As a result, the following script will be displayed in the post:
<script>let color=””; alert(/XSS/); let more=””;</script>
The Solution
Let’s make the example shortcode code secure:
function custom_js_color_variable_shortcode( $atts ) {
$atts = shortcode_atts( array(
‘color’ => ‘red’, // default color value
), $atts );
$output = ‘<script>’ . ‘let color=”‘ . esc_js( $atts[‘color’] ) . ‘”;’ . ‘</script>’;
return $output;
}
add_shortcode( ‘custom_js_color_variable’, ‘custom_js_color_variable_shortcode’ );
The “color” data is a JS variable, so it is recommended to use the esc_js() function.
The following script will be displayed in the post if the attacker tries using the same malicious shortcode:
<script>let color=”"; alert(/XSS/); let more="”;</script>
Conclusion
In this blog post, we have detailed Stored Shortcode-Based XSS vulnerabilities within several WordPress repository plugins. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. As with all XSS vulnerabilities, a malicious payload could be used to perform actions as an administrator, including adding new malicious administrator users to the site and embedding backdoors in plugin and theme files, as well as redirecting users to malicious sites.
We encourage WordPress users to verify that their sites are updated to the latest patched version of each impacted plugin. For unpatched plugins that have been closed by the WordPress.org security team, we recommend that WordPress users delete the affected plugin and look for an alternative solution.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this type of vulnerability.
If you know someone who uses any of these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this type of vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.
The post Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting appeared first on Wordfence.