Jetpack < 13.2.1 – Contributor+ Stored XSS | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

When the "Let visitors subscribe to new posts and comments via email" settings is enabled (in the Newsletter section), add the below shortcode to a post:

[jetpack_subscription_form title="hola \x3cscript\x3ealert(1)\x3c/script\x3e" show_only_email_and_button="" subscribe_text="\x3cscript\x3ealert(1)\x3c/script\x3e" ]

Affects Plugins

Fixed in 13.2.1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Alex Concha

Submitter

Alex Concha

Verified

Yes

WPVDB ID

bfed3099-bd41-4988-a76b-2b9349051879

Timeline

Publicly Published

2024-03-25 (about 1 months ago)

Added

2024-03-25 (about 1 months ago)

Last Updated

2024-03-25 (about 1 months ago)

Other

Published

Title

Published

2022-01-18

Title

Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS

Published

2016-04-26

Title

Gnucommerce < 0.5.7-beta - XSS

Published

2024-04-23

Title

Blocksy < 2.0.34 - Contributor+ Stored XSS

Published

2023-04-18

Title

YellowPencil Visual CSS Style Editor < 7.5.9 - Admin+ Stored XSS

Published

2024-03-25

Title

Post Grid, Slider & Carousel Ultimate < 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting