Icon Widget < 1.3.0 - Contributor+ Stored XSS via Shortcode

Vulnerability

The Icon Widget WordPress plugin prior to version 1.3.0 fails to validate and escape some of its shortcode attributes before outputting them back in the page. This allows users with a role as low as Contributor to inject arbitrary JavaScript through crafted shortcode attributes, leading to Stored Cross-Site Scripting (XSS). The vulnerability affects all versions before 1.3.0 [1].

Exploitation

An attacker with a Contributor-level account (or higher) can create or edit a post containing the vulnerable shortcode with malicious attribute values. The shortcode attributes are not sanitized or escaped, so the injected script is stored in the WordPress database and executed in the browser of any user viewing the affected page. The attacker does not need any special privileges beyond Contributor, and the attack does not require user interaction beyond viewing the page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. Since the payload is stored and executed when high-privilege users (e.g., administrators) view the page, the attacker can perform actions such as stealing session cookies, creating new admin accounts, or modifying site content. This results in full compromise of the WordPress site's integrity and confidentiality [1].

Mitigation

The vulnerability is fixed in version 1.3.0 of the Icon Widget plugin. Users should update to this version or later immediately. There is no known workaround available for older versions [1].