WordPress Simple Shopping Cart < 4.6.2 - Contributor+ Stored XSS via Shortcode

Vulnerability

The WordPress Simple Shopping Cart plugin versions before 4.6.2 fail to validate and escape certain shortcode attributes before outputting them in the page. This allows users with a role as low as Contributor to inject arbitrary JavaScript. The vulnerability is stored in the shortcode output, affecting any page where the shortcode is used [1].

Exploitation

An attacker with Contributor-level access can craft a post or page containing the vulnerable shortcode with malicious attribute values. When a higher-privileged user (e.g., Admin) views the page, the injected script executes. No additional authentication or network position is required beyond the contributor's existing access.

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS), enabling the attacker to perform actions on behalf of the victim, such as stealing session cookies, modifying content, or escalating privileges. The attack targets high-privilege users, increasing the potential impact.

Mitigation

The vulnerability is fixed in version 4.6.2 of the plugin. Users should update to this version or later. No workarounds are provided in the available references. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].