Buttons Shortcode and Widget <= 1.16 - Stored XSS via shortcode

Vulnerability

The Buttons Shortcode and Widget WordPress plugin through version 1.16 fails to validate and escape shortcode attributes before outputting them in a page or post where the shortcode is embedded. This allows users with at least the contributor role to inject arbitrary HTML and JavaScript via crafted shortcode attributes, leading to Stored Cross-Site Scripting (XSS). Affected are all versions up to and including 1.16 [1].

Exploitation

An attacker must have a WordPress user account with the contributor role or higher. The attacker inserts a shortcode into a post or page, supplying malicious JavaScript in one of the unescaped shortcode attributes. When the post is viewed, the injected script executes in the context of the victim's browser. No additional user interaction is required beyond viewing the affected content [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user viewing the compromised page. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as login credentials and authentication tokens. The attack is stored, meaning the malicious payload persists and affects all subsequent visitors [1].

Mitigation

As of the publication date (2024-03-18), no fixed version has been released. The plugin has reached an end-of-life (EOL) status and no known patch is available. Users are advised to remove or replace the plugin with an alternative that is actively maintained and secure. The vulnerability has been publicly disclosed, and while not listed in CISA's Known Exploited Vulnerabilities catalog at this time, mitigation through removal is strongly recommended [1].