Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
When the “Let visitors subscribe to new posts and comments via email” settings is enabled (in the Newsletter section), add the below shortcode to a post: [jetpack_subscription_form title=“hola \x3cscript\x3ealert(1)\x3c/script\x3e” show_only_email_and_button=“” subscribe_text=“\x3cscript\x3ealert(1)\x3c/script\x3e” ]
CPE | Name | Operator | Version |
---|---|---|---|
eq | 13.2.1 |