The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the circliful_shortcode() function, the 'id' attribute value is concatenated directly into an HTML id attribute (line 285) without any escaping, allowing an attacker to break out of the double-quoted attribute and inject arbitrary HTML event handlers. Similarly, the circliful_direct_shortcode() function (line 257) outputs all shortcode attributes directly into HTML data-* attributes without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Circliful WordPress plugin versions up to 1.2 contain stored cross-site scripting vulnerabilities in shortcode attributes due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access can inject arbitrary HTML and JavaScript code that persists in the database.
ثغرة XSS مخزنة في إضافة WP Circliful تسمح للمهاجمين المصرح لهم بمستوى المساهم وما فوق بحقن كود JavaScript عشوائي عبر خصائص shortcode. تؤثر الثغرة على دالتي circliful_shortcode و circliful_direct_shortcode حيث يتم دمج قيم المدخلات مباشرة في سمات HTML دون هروب.
WP Circliful WordPress plugin versions up to 1.2 contain stored cross-site scripting vulnerabilities in shortcode attributes due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access can inject arbitrary HTML and JavaScript code that persists in the database.
Update WP Circliful plugin to version 1.3 or later immediately. Implement strict input validation and output escaping for all shortcode attributes. Restrict Contributor-level access to trusted users only. Monitor WordPress sites for suspicious shortcode usage patterns.
قم بتحديث إضافة WP Circliful إلى الإصدار 1.3 أو أحدث فوراً. طبق التحقق الصارم من المدخلات والهروب من المخرجات لجميع خصائص Shortcode. قيد الوصول على مستوى المساهم للمستخدمين الموثوقين فقط. راقب مواقع WordPress بحثاً عن أنماط استخدام Shortcode المريبة.