In Donorbox WordPress plugin, one can perform an XSS attack via the included shortcode by inserting arbitrary HTML attributes. This vulnerability was introduced in v7.1 and fixed in v7.1.2.
[donate url=‘/?" autofocus onfocus="alert(window)" abitraryAttributeToValidateShortcodeParsing="’]
CPE | Name | Operator | Version |
---|---|---|---|
donorbox-donation-form | lt | 7.1.2 |