Zakaria

The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Name of the Vulnerable Software and Affected Versions** ePaperFlip Publisher versions prior to 1.1 **Description** The ePaperFlip Publisher plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `publicationid` attribute of the `epaperflip embed` shortcode lacks sufficient input sanitization and output escaping, allowing the attribute to be injected directly into inline JavaScript. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update to a version later than 1. As a temporary workaround, restrict the use of the `publicationid` attribute within the `epaperflip embed` shortcode for users with Contributor-level access.

**Name of the Vulnerable Software and Affected Versions** TinyMCE shortcode Addon plugin for WordPress versions prior to 1.0.1 **Description** Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access or higher to perform Stored Cross-Site Scripting. This is achieved by injecting arbitrary web scripts through the `btnrel` shortcode attribute, which execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 1.0.0. As a temporary mitigation, restrict the use of the `btnrel` attribute in shortcodes for users with contributor-level access.

**Name of the Vulnerable Software and Affected Versions** DeMomentSomTres Shortcodes versions prior to 1.1.2 **Description** The DeMomentSomTres Shortcodes plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `st callout()` function fails to properly sanitize input and escape output for the `width` and `align` attributes of the 'callout' shortcode, concatenating these values directly into an HTML style attribute. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update to a version later than 1.1.1. As a temporary workaround, restrict the use of the 'callout' shortcode or limit the `width` and `align` attributes until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Easy Cart versions prior to 1.9 **Description** The Easy Cart plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because the `ectp add to cart()` function fails to properly escape double quote characters when processing shortcode attributes, allowing an attacker to break out of the HTML attribute context and inject event handlers. The affected attributes include `itemid`, `product name`, `product desc`, `product qty`, and `price` within the 'add to cart' shortcode. **Recommendations** Update to a version later than 1.8. As a temporary workaround, restrict the use of the 'add to cart' shortcode and its attributes `itemid`, `product name`, `product desc`, `product qty`, and `price` for users with Contributor-level access.

**Name of the Vulnerable Software and Affected Versions** Github Shortcode versions prior to 0.2 **Description** The Github Shortcode plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because of insufficient input sanitization and output escaping within the `repo` attribute of the 'github' shortcode. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 0.1. As a temporary workaround, restrict the ability of users with Contributor-level access to use the `repo` attribute in the 'github' shortcode.

**Name of the Vulnerable Software and Affected Versions** My Email Shortcode versions prior to 0.92 **Description** The plugin is subject to Stored Cross-Site Scripting, a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping within the `subject` attribute of the 'my-email' shortcode. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 0.91.

The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Name of the Vulnerable Software and Affected Versions** faq shortocde versions prior to 1.1 **Description** The faq shortocde plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the `color` attribute within the 'faq' shortcode does not have sufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 1.0. As a temporary mitigation, restrict the use of the `color` attribute in the 'faq' shortcode for users with Contributor-level access.

The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (src, start, end) in the listenEmbedJS() function, which are echoed inside a single-quoted HTML attribute without escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The hk shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong post short title plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Name of the Vulnerable Software and Affected Versions** Faces of Users versions prior to 0.0.4 **Description** The Faces of Users plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping within the `default` attribute of the 'facesofusers' shortcode. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 0.0.3. As a temporary workaround, restrict the use of the `default` attribute in the 'facesofusers' shortcode for users with Contributor-level access.

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `social` shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Bootstrap Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `box` shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Name of the Vulnerable Software and Affected Versions** WP-Clippy versions prior to 1.0.1 **Description** The WP-Clippy plugin for WordPress contains a stored cross-site scripting issue. This occurs because of insufficient input sanitization and output escaping on user-supplied attributes within the `clippy` shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts into pages, which then execute when a user visits the affected page. **Recommendations** Update to a version later than 1.0.0.

**Name of the Vulnerable Software and Affected Versions** WPMK Block versions prior to 1.0.2 **Description** The WPMK Block plugin for WordPress contains a Stored Cross-Site Scripting issue. Authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. This occurs because the `wpmk block shortcode()` function fails to properly sanitize and escape the 'class' attribute within shortcodes, allowing the input to be directly concatenated into an HTML div element's class attribute. **Recommendations** Update to a version newer than 1.0.1. As a temporary workaround, restrict the ability of Contributor-level users to edit shortcode attributes.

**Name of the Vulnerable Software and Affected Versions** Twittee Text Tweet versions prior to 1.0.9 **Description** Insufficient input sanitization and output escaping in the `ttt twittee tweeter()` function allow authenticated attackers with Contributor-level access and above to inject arbitrary web scripts. The function uses `extract()` to pull shortcode attributes into local variables and concatenates them into HTML output without escaping. Specifically, the `id` parameter is inserted into an HTML id attribute context without proper attribute escaping, enabling the injection of arbitrary HTML event handlers. Furthermore, the `tweet`, `content`, `balloon`, and `theme` attributes are injected into inline JavaScript without escaping. **Recommendations** Update to a version newer than 1.0.8.

The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize text field() on the 'userhash' parameter, which strips HTML tags but does not escape characters significant in a JavaScript string context (such as double quotes, semicolons, and parentheses). The sanitized value is then directly interpolated into a JavaScript string within a <script> tag on line 29 without any JavaScript-specific escaping (e.g., wp json encode() or esc js()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Name of the Vulnerable Software and Affected Versions** Surbma | Booking.com Shortcode plugin for WordPress versions prior to 2.2 **Description** The plugin is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user supplied attributes within the `surbma-bookingcom` shortcode. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which execute when a user visits the affected page. **Recommendations** Update the plugin to a version later than 2.1.