Wonder Video Embed < 1.8 - Contributor+ Stored XSS

An attacker with a role as low as Contributor can inject arbitrary JavaScript into a WordPress post or page by embedding the `wonderplugin_video` shortcode with malicious payloads in its parameters. Because the plugin fails to escape shortcode parameters [CWE-79], the injected script is stored on the server and executed in the browser of any user who views the affected content. The attack requires only the ability to create or edit posts (Contributor-level access) and does not require any special network position beyond normal WordPress usage.

The `wonderplugin_video` shortcode in the Wonder Video Embed plugin does not escape its parameters before output. The advisory does not specify the exact file or function name, but the vulnerable code is in the shortcode handler that processes and renders the shortcode attributes.

The advisory states the vulnerability is fixed in version 1.8 of the Wonder Video Embed plugin. The fix involves properly escaping the parameters of the `wonderplugin_video` shortcode before output, preventing injected HTML or JavaScript from being interpreted by the browser. No patch diff is available in the bundle, but the remediation guidance is to update to version 1.8 or later.