Back in September, the developer of the 2+ million WordPress plugin MC4WP: Mailchimp for WordPress and Wordfence claimed that a minor vulnerability had been fixed. The fix was obviously incomplete and it turns out the issue is wider than that.
…
The developer of the WordPress plugin Download Manager has continued to not secure their plugin against authenticated persistent cross-site scripting (XSS) through shortcodes. We looked at that in the past. They didn’t work with us to get the problem fully resolved or get it done on their own. Since then, in version 3.2.98, a changelog entry suggested another attempt, “Fixed a shortcode parameter sanitization issue with the all downloads shortcode ( reported by Jack Taylor from Wordfence )”. Then a changelog for version 3.3.00 suggested another attempt, “Fixed a parameter sanitization issue with short-code [wpdm_login_form].” In looking over the code, we confirmed there is at least one more issue. We would recommend not using the plugin unless the developer shows they are committed to finally fully securing the plugin.
…
One of the changelog entires for the latest version of the WordPress plugin WP jQuery Lightbox (WP Lightbox) is “Minor security fix (issue only affected authenticated users).” Checking in to that, we found that referenced an authenticated persistent cross-site scripting (XSS) vulnerability where someone with the ability to edit posts could cause JavaScript code to run when clicking on a lightbox entry with a lightbox.
…
The changelog for the latest version of the WordPress plugin GreenShift reads “Added: Lighbox improvements and security improvements for social share block, typography options.” The security improvement referenced in that appears to refer to adding escaping when outputting user input from a block. Even in the code being modified the escaping is incomplete, which is confirmed with the proof of concept below. That means there is currently an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin. Other similar code also doesn’t have need escaping. We have notified the developer of that and offered to help them address that.
…
Recently, Wordfence claimed that the WordPress plugin Shortcodes Ultimate contained an authenticated persistent cross-site scripting (XSS) vulnerability, which they described this way:
…
Recently, Automattic’s WPScan claimed that the WordPress plugin Ultimate Blocks contained an authenticated persistent cross-site scripting (XSS) vulnerability, which they described this way:
…
Recently, Automattic’s WPScan claimed that the WordPress plugin Kadence Blocks contained an authenticated persistent cross-site scripting (XSS) vulnerability, which they described this way:
…
One of the changelog entries for the latest version of the WordPress plugin Download Manager suggested that an authenticated persistent cross-site scripting (XSS) vulnerability through a shortcode was being fixed, as it reads “Fixed input sanitization issues with short-code parameters.” In looking into the changes made, it looked like the fix was incomplete. A bit of testing confirmed that. We have reached out to the developer to let them know the fix was not completed and offer to help them address this.
…
Recently WPScan claimed that there had been an admin+ stored XSS vulnerability in the plugin SEOPress, which they described this way:
…
Last Tuesday, someone was claiming to have found a vulnerability in the WordPress plugin Shariff Wrapper. As at least one of our of customers was using the plugin, we went to check to see if there was an obvious serious vulnerability in the plugin. We didn’t see anything. We then started keeping an eye to see if there was a new version of the plugin was released. On Friday, an update to the plugin was released that was supposed to address the issue. The relevant changelog reads, “security fix (thanks to Dmitrii Ignatyev from CleanTalk inc.)” Looking at the changes made, we found that the developer had incompletely fixed an authenticated persistent cross-site scripting (XSS) vulnerability. It is rather minor, as the vulnerability would require the attacker to have access to modify a post or page. They could then add one of the plugin’s shortcodes with JavaScript code in it.
…