WordPress WP-Appbox plugin <= 4.3.20 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

An authenticated administrator user can insert a crafted shortcode into a WordPress post or page. This shortcode contains JavaScript code within one of the parameters, such as the app ID. When another user views the post or page containing this shortcode, the embedded JavaScript is executed in their browser, leading to a stored XSS attack [ref_id=1].

The vulnerability lies within the WP-Appbox plugin, specifically in how it processes and displays data from shortcodes. The exact functions or files are not detailed in the provided changelog, but the fix involves sanitizing inputs related to app details that are rendered on the frontend [ref_id=1].

The patch addresses the vulnerability by sanitizing user input before it is rendered on the page. Specifically, it ensures that any HTML or script tags within the app ID or other shortcode parameters are properly escaped. This prevents the browser from interpreting the injected code as executable JavaScript, thereby mitigating the XSS risk [ref_id=1].