File Away <= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode

An attacker with a role as low as Contributor can inject malicious JavaScript into a shortcode attribute that the plugin fails to validate and escape [ref_id=1]. When the shortcode is rendered on a page, the unsanitized attribute is output directly into the page HTML, causing the attacker's script to execute in the context of any visitor's browser. This is a Stored Cross-Site Scripting (XSS) attack because the payload persists in the WordPress database via the shortcode [CWE-79].

The vulnerability exists in the File Away WordPress plugin (versions through 3.9.9.0.1). The advisory does not specify the exact file or function name, but identifies that one of the plugin's shortcode attributes is not validated or escaped [ref_id=1].

The advisory states that no known fix is available for the File Away plugin through version 3.9.9.0.1 [ref_id=1]. To remediate the vulnerability, the plugin should validate and escape the vulnerable shortcode attribute before output, ensuring that any user-supplied data within the shortcode is properly sanitized to prevent script injection.

As a Contributor-level user, create a new post or page. Insert the vulnerable File Away shortcode with a malicious payload in the unsanitized attribute, for example: `[fileaway attribute="&lt;script&gt;alert('XSS')&lt;/script&gt;"]`. Publish or preview the post. When the page loads, the injected JavaScript executes in the browser of any user viewing the page [ref_id=1].