Swift Framework < 2024.0.0 - Contributor+ Stored XSS via Shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

PoC

1. As a contributor, go to “Swift Slider > Add New Slide” 2. In the “Content > Caption Text” add the POC: [spb_boxed_content element_name="red" title=""test" box_link="red"" box_link_target="self" el_class='red" onmouseover="alert(/XSScontrib5/)"' width='1/1' el_position="first last"]test content[/spb_boxed_content] 3. When an admin approves the slide, the XSS will be seen. Note: Other shortcodes throughout the plugin are vulnerable to the same issue.