📄 Description (English)
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' (and 'button') shortcode attributes in the rspc_check_shortcode() function, which are echoed directly into iframe src attributes without esc_attr() or esc_url(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🤖 AI Executive Summary
The Responsive Check WordPress plugin (versions ≤0.0.3) contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'rspcheck' shortcode that allows authenticated contributors to inject malicious scripts into pages. The vulnerability stems from insufficient input sanitization and output escaping of the 'url' and 'button' shortcode attributes. While currently unpatched, the medium CVSS score (6.4) and requirement for contributor-level access limit immediate risk, but the stored nature of the XSS poses persistent threats to website visitors.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 28, 2026 09:19
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using WordPress for government portals, banking websites, e-commerce platforms, and corporate communications are at risk. Most vulnerable sectors include: Government agencies (NCA, CITC) hosting public information portals; Banking sector (SAMA-regulated institutions) using WordPress for customer-facing websites; Healthcare providers (MOH) with WordPress-based patient information systems; Telecommunications (STC, Mobily) for customer service portals; and E-commerce businesses. The vulnerability is particularly concerning for organizations with multiple contributor-level users, as any compromised account could inject persistent malware affecting all website visitors.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Telecommunications
E-commerce
Education
Energy
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all WordPress installations using Responsive Check plugin ≤0.0.3 across your organization
2. Review user access logs for contributor-level accounts to identify suspicious activity
3. Scan all pages/posts containing 'rspcheck' shortcodes for malicious content
4. Disable the plugin immediately if not actively used
PATCHING GUIDANCE:
1. Contact plugin developer for security update timeline
2. If no patch available within 30 days, consider removing the plugin entirely
3. Migrate shortcode functionality to alternative, actively maintained plugins
COMPENSATING CONTROLS:
1. Restrict contributor-level access to trusted users only; implement role-based access control
2. Enable WordPress security plugins (Wordfence, Sucuri) with malware scanning
3. Implement Content Security Policy (CSP) headers to restrict inline script execution
4. Deploy Web Application Firewall (WAF) rules to detect XSS payloads in shortcode attributes
5. Enable WordPress audit logging for shortcode modifications
DETECTION RULES:
1. Monitor for 'rspcheck' shortcodes with 'url' or 'button' attributes containing: javascript:, data:, onerror=, onload=, <script
2. Alert on any shortcode attribute modifications by contributor-level users
3. Scan iframe src attributes for non-standard protocols or encoded payloads
4. Review WordPress post revisions for suspicious shortcode additions
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Responsive Check ≤0.0.3 عبر مؤسستك
2. مراجعة سجلات الوصول للمستخدمين على مستوى المساهم لتحديد النشاط المريب
3. مسح جميع الصفحات/المنشورات التي تحتوي على اختصارات 'rspcheck' بحثاً عن محتوى ضار
4. تعطيل المكون فوراً إذا لم يكن قيد الاستخدام النشط
إرشادات التصحيح:
1. اتصل بمطور المكون للحصول على جدول زمني لتحديث الأمان
2. إذا لم يتوفر تصحيح خلال 30 يوماً، فكر في إزالة المكون بالكامل
3. ترحيل وظيفة الاختصار إلى مكونات بديلة يتم صيانتها بنشاط
الضوابط التعويضية:
1. تقييد الوصول على مستوى المساهم للمستخدمين الموثوقين فقط؛ تنفيذ التحكم في الوصول القائم على الأدوار
2. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع مسح البرامج الضارة
3. تنفيذ رؤوس سياسة أمان المحتوى (CSP) لتقييد تنفيذ البرامج النصية المضمنة
4. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS في خصائص الاختصار
5. تفعيل تسجيل تدقيق WordPress لتعديلات الاختصار
قواعد الكشف:
1. مراقبة اختصارات 'rspcheck' بخصائص 'url' أو 'button' تحتوي على: javascript:, data:, onerror=, onload=, <script
2. تنبيه على أي تعديلات خصائص الاختصار من قبل مستخدمي مستوى المساهم
3. مسح خصائص src للإطار لبروتوكولات غير قياسية أو حمولات مشفرة
4. مراجعة مراجعات منشورات WordPress بحثاً عن إضافات اختصار مريبة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.5.23 - Access control for information systems
ECC 2024 A.6.5 - Suppression of unauthorized access attempts
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Business Environment
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-3 - Access Enforcement
SAMA CSF DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.5.16 - Identity Management
ISO 27001:2022 A.8.22 - Information Security for Supplier Relationships
ISO 27001:2022 A.8.23 - Information Security Incident Management
🟣 PCI DSS v4.0.1
PCI DSS 6.5.7 - Cross-site scripting (XSS)
PCI DSS 6.5.10 - Broken authentication and session management
PCI DSS 7.1 - Limit access to system components by business need to know
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/responsive-checker-real-time/trunk/responsiv...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/responsive-checker-real-time/trunk/responsiv...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/responsive-checker-real-time/trunk/responsiv...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/d1d571e3-cf6d-4e9b-a3d7-e7e19...
security@wordfence.com