Nail Majdeddine

**Name of the Vulnerable Software and Affected Versions** Extra Settings for RocketChat versions prior to 0.2 **Description** The Extra Settings for RocketChat plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `rxstg shortcode()` function fails to properly sanitize input and escape output when processing the `title` attribute of the 'rocketchat' shortcode, concatenating it directly into the HTML output. Authenticated attackers with contributor-level access or higher can exploit this to inject arbitrary web scripts into pages, which then execute when accessed by other users. **Recommendations** Update the plugin to a version later than 0.1. As a temporary workaround, restrict the use of the `title` attribute within the 'rocketchat' shortcode for users with contributor-level access.

The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as get coin shortcode() function, which renders the 'width' (and 'height') shortcode attribute directly into the style attribute of an <iframe> element without applying any escaping function such as esc attr(). An attacker-controlled value like '100px;"onload="alert(1)" x="' terminates the style attribute prematurely and injects an arbitrary HTML attribute into the iframe tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes (notably `border`, `width`, `height`, `header background`, `header text color`, and `id`) within the `gntt title ticker slide()`, `gntt title ticker fade()`, and `gntt title ticker typing()` functions. None of these attribute values are passed through `esc attr()` or any other escaping function before being concatenated into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbi toprint shortcode() function, which concatenates the raw shortcode attribute value directly into an HTML attribute without applying esc attr() or any other sanitization. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes ('id' and 'name') in the gplusnamelink generate() function, which are concatenated directly into the rendered HTML without calling esc attr() or esc html(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' (and 'button') shortcode attributes in the rspc check shortcode() function, which are echoed directly into iframe src attributes without esc attr() or esc url(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within the islamicDB sc quran qari roqya() function, which are concatenated directly into HTML iframe attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes ('title', 'align', and 'width') in the tuxquote build format() function, which are concatenated into the rendered HTML without being passed through esc attr() or esc html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute without escaping in the dideo() shortcode handler. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Name of the Vulnerable Software and Affected Versions** Simple Owl Shortcodes versions prior to 2.1.2 **Description** The Simple Owl Shortcodes plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping of user-supplied attributes within the 'owls wrapper' shortcode, specifically affecting the `num` attribute. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update to a version later than 2.1.1. As a temporary workaround, restrict the use of the `num` attribute in the 'owls wrapper' shortcode.

**Name of the Vulnerable Software and Affected Versions** Simple Random Posts Shortcode versions prior to 0.4 **Description** The Simple Random Posts Shortcode plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because the plugin fails to properly sanitize input and escape output for the `container right width` attribute within the 'simple random posts' shortcode. These scripts execute whenever a user visits the affected page. **Recommendations** Update the plugin to a version newer than 0.3. As a temporary workaround, restrict the use of the `container right width` attribute in the 'simple random posts' shortcode.

**Name of the Vulnerable Software and Affected Versions** Posts map plugin for WordPress versions prior to 0.1.4 **Description** Insufficient input sanitization and output escaping on user supplied attributes allow authenticated attackers with contributor-level access and above to inject arbitrary web scripts. This occurs via the 'name' shortcode attribute, resulting in scripts that execute whenever a user accesses an injected page. Stored Cross-Site Scripting is a flaw where a malicious script is permanently stored on the target server. **Recommendations** Update the plugin to a version later than 0.1.3.

**Name of the Vulnerable Software and Affected Versions** SlideShowPro SC versions prior to 1.0.3 **Description** The SlideShowPro SC plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping on user supplied attributes within the `slideShowProSC` shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 1.0.2.

**Name of the Vulnerable Software and Affected Versions** Text Snippets versions prior to 0.0.2 **Description** The Text Snippets plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping on user supplied attributes within the `ts` shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update to a version later than 0.0.1.

**Name of the Vulnerable Software and Affected Versions** VI: Include Post By versions prior to 0.4.200706 **Description** Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping on user supplied attributes. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts via the `class container` attribute of the 'include-post-by-cat' shortcode. These scripts execute whenever a user accesses an affected page. **Recommendations** Update to a version later than 0.4.200706.