Image Over Image For WPBakery Page Builder < 3.0 - Contributor+ Stored XSS

Vulnerability

The Image Over Image For WPBakery Page Builder WordPress plugin before version 3.0 fails to validate and escape some of its shortcode attributes before outputting them back in a page or post where the shortcode is embedded. This allows users with the contributor role and above to inject arbitrary HTML and JavaScript. [1]

Exploitation

An attacker with at least contributor-level access can create or edit a post/page and insert the vulnerable shortcode with crafted attribute values containing malicious JavaScript. When the post/page is viewed by any user, the injected script executes in the context of the victim's browser. No additional user interaction is required beyond viewing the affected content. [1]

Impact

Successful exploitation results in stored cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the browsers of users who visit the compromised page, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is persistent and affects all visitors. [1]

Mitigation

The vulnerability is fixed in version 3.0 of the plugin. Users are strongly advised to update to 3.0 or later immediately. No workarounds are provided in the available references. [1]