The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the page without escaping. The endpoint is registered via admin_post_ (not admin_post_nopriv_), meaning it requires the user to be logged in with at minimum a Subscriber-level account. There is no nonce verification or additional capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute if they can successfully trick a user into performing an action such as clicking a link.
The WP Blockade WordPress plugin versions up to 0.9.14 contain a Reflected Cross-Site Scripting vulnerability in the render_shortcode_preview() function due to insufficient input sanitization of the 'shortcode' parameter. An authenticated attacker with subscriber-level privileges can inject malicious JavaScript code that executes in the context of other users' browsers.
ثغرة XSS منعكسة في إضافة WP Blockade للووردبريس تؤثر على جميع الإصدارات حتى 0.9.14 من خلال معامل shortcode في دالة render_shortcode_preview(). تحدث الثغرة بسبب عدم تنظيف المدخلات بشكل كافٍ حيث يتم تمرير البيانات عبر stripslashes() فقط دون معالجة أمنية إضافية. يمكن لأي مستخدم مصرح بصلاحيات المشترك فما فوق تنفيذ أكواد JavaScript ضارة تؤثر على المستخدمين الآخرين.
WP Blockade plugin for WordPress up to version 0.9.14 is vulnerable to Reflected XSS through the shortcode parameter in the render_shortcode_preview function due to lack of input validation. Authenticated users with subscriber privileges can inject and execute arbitrary JavaScript code affecting other users.
Update WP Blockade plugin to version 0.9.15 or later immediately. Implement proper input sanitization using sanitize_text_field() and output escaping using esc_html() or wp_kses_post(). Add nonce verification and capability checks to the render_shortcode_preview() function. Restrict access to authenticated users with appropriate administrative capabilities only.
قم بتحديث إضافة WP Blockade إلى الإصدار 0.9.15 أو أحدث فوراً. طبق تنظيف المدخلات الصحيح باستخدام sanitize_text_field() وتجنب المخرجات باستخدام esc_html() أو wp_kses_post(). أضف التحقق من nonce والتحقق من الصلاحيات لدالة render_shortcode_preview(). قيد الوصول للمستخدمين المصرحين بصلاحيات إدارية مناسبة فقط.