CVE-2024-2801

The Shopkeeper Extender plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its 'image_slide' shortcode [1]. The flaw arises from insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious HTML/JavaScript to be stored in the database.

Exploitation requires an authenticated user with at least contributor-level access. The attacker can inject arbitrary web scripts through the shortcode attributes, which are then stored and executed when any user (including administrators) views the affected page. No additional privileges or network position are needed beyond standard WordPress contributor capabilities.

Successful exploitation leads to arbitrary script execution in the context of the victim's browser. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive information such as cookies or authentication tokens. The impact is limited to the WordPress site's user base.

The vulnerability affects all versions up to and including 3.6. Users are advised to update to a patched version if available. As of the publication date, no workaround is documented, and the plugin's vendor should be contacted for remediation [1].