Threepress <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

An authenticated attacker with contributor-level access or above can inject arbitrary web scripts by crafting a malicious shortcode attribute (e.g., `bg_color` or `name`) containing JavaScript payloads. When the shortcode is rendered on a page, the unsanitized attribute values are embedded into the page output via `json_encode($attr)`, causing the injected script to execute in the browser of any user who visits the page. This is a classic Stored Cross-Site Scripting (XSS) attack [CWE-79].

The vulnerability resides in the `shortcode()` method of the Threepress plugin (file `threepress.php`). The method takes user-supplied shortcode attributes and passes them directly into `json_encode($attr)` without sanitizing or escaping the attribute values. Specifically, attributes such as `name`, `bg_color`, and others are not filtered before being output in the rendered shortcode response.

The patch (version 1.7.2) does not appear in the provided bundle; however, the advisory states that the fix involves adding proper input sanitization and output escaping on user-supplied shortcode attributes. The vulnerable code in `shortcode()` directly outputs `json_encode($attr)` without filtering attribute values like `name` or `bg_color`. A proper fix would escape or validate each attribute before it is included in the JSON output, preventing script injection.