WordPress External Markdown Plugin <= 0.0.1 is vulnerable to Cross Site Scripting (XSS)
Claim ownership and start a managed Vulnerability Disclosure Program.
Apply for mVDP
Vulnerability description
johska discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress External Markdown Plugin to Patchstack.
See tips for patching this kind of vulnerabilityHow to reproduce
he plugin’s shortcode is vulnerable to Stored XSS.
This vulnerability arises because the code improperly sanitizes shortcode attributes allowing an attacker to inject malicious scripts for users with a role as low as contributor.
## Test setup
Tested with docker image: wordpress:6.7.2-php8.3-apache
## Steps to reproduce
1. Install and activate the plugin. No configuration needed.
2. Login as Contributer+ and create a new post with the following shortcode:
The XSS will trigger whenever the page containing the shortcode is hovered over with the mouse.
```php
[external_markdown class='" onmouseover=alert(1) style="position: fixed;top: 0;left: 0;width: 100%;height: 100%;z-index: 9999; background-color: transparent;"']
```
Additional information by researcher
Affected file:
https://plugins.trac.wordpress.org/browser/external-markdown/trunk/external-markdown.php
How to disclose
To make the patching process easier and safer for all users, we recommend reading our memo about the most common vulnerabilities and the way these can be fixed. If you need help understanding some of the security concepts, don’t worry. That’s when we step in and help.
Please send us the patched version or code before releasing it, so we could help you avoid incomplete patches that could lead to inconveniences. Don’t delay security patch releases for other non-security updates. Ideally, security fixes would be released separately so users could update ASAP without fear of anything breaking. You can also join the free Patchstack mVDP program to have better control over the vulnerability patching and disclosure process.
johska
Provide link to fix
