You Shang <= 1.0.1 - Authenticated Stored Cross-Site Scripting

Vulnerability

The You Shang WordPress plugin through version 1.0.1 does not sanitize or escape its qrcode links settings before output. This allows any authenticated user with the ability to edit plugin settings (such as administrators or, depending on roles, less-privileged users) to inject arbitrary JavaScript or HTML. The unsanitized input is stored and later rendered on frontend posts and the plugin's own settings page, making this a Stored Cross-Site Scripting (XSS) vulnerability [1].

Exploitation

An attacker must have at least contributor-level access to the WordPress site (or any role allowed to modify plugin settings) to insert a malicious payload into the qrcode links configuration field. No additional privileges or user interaction beyond navigating to the affected pages is required; the script executes automatically when a victim views a post or the plugin settings page that contains the stored payload. The attacker does not need to exploit any race condition or complex network position [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data (including login credentials and personal information) displayed on the WordPress site. The scope is limited to the affected WordPress instance and its users [1].

Mitigation

As of the latest available information, no patched version of the You Shang plugin has been released. The vendor has not addressed the issue, and the plugin remains vulnerable [1]. Site owners should consider disabling or removing the plugin until a fix is available. No workaround is documented [1].