The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping — both within an HTML attribute context (title="...") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can inject double-quote characters to break out of the title attribute and inject arbitrary HTML attributes including event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Text Toggle WordPress plugin versions up to 1.1 contains a Stored Cross-Site Scripting vulnerability in the 'title' shortcode attribute due to insufficient input sanitization and output escaping. Authenticated attackers can inject malicious HTML and JavaScript code that persists in the database and executes for all users viewing affected pages.
تحتوي إضافة Text Toggle لـ WordPress على ثغرة Stored XSS في سمة العنوان للاختصارات [tt_part] و [tt] بسبب عدم تنظيف المدخلات بشكل كافٍ. يمكن للمهاجمين المصرحين بالدخول حقن أكواد HTML و JavaScript ضارة تبقى في قاعدة البيانات وتنفذ لجميع المستخدمين.
The Text Toggle WordPress plugin versions up to 1.1 contains a Stored Cross-Site Scripting vulnerability in the 'title' shortcode attribute due to insufficient input sanitization and output escaping. Authenticated attackers can inject malicious HTML and JavaScript code that persists in the database and executes for all users viewing affected pages.
Update the Text Toggle plugin to version 1.2 or later immediately. Implement input sanitization using sanitize_text_field() or wp_kses_post() for the 'title' attribute and apply proper output escaping using esc_attr() for HTML attributes and esc_html() for content. Disable the plugin if an update is unavailable and audit all posts and pages for malicious shortcode content.
قم بتحديث إضافة Text Toggle إلى الإصدار 1.2 أو أحدث فوراً. طبق تنظيف المدخلات باستخدام sanitize_text_field() أو wp_kses_post() لسمة 'title' وطبق الهروب الصحيح للمخرجات باستخدام esc_attr() للسمات و esc_html() للمحتوى. عطل الإضافة إذا لم يكن التحديث متاحاً وتدقق في جميع المنشورات والصفحات عن محتوى shortcode ضار.