The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() on the 'userhash' parameter, which strips HTML tags but does not escape characters significant in a JavaScript string context (such as double quotes, semicolons, and parentheses). The sanitized value is then directly interpolated into a JavaScript string within a <script> tag on line 29 without any JavaScript-specific escaping (e.g., wp_json_encode() or esc_js()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Coachific Shortcode WordPress plugin versions up to 1.0 contain a Stored Cross-Site Scripting vulnerability in the 'userhash' shortcode attribute due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access can inject arbitrary JavaScript that executes when users access affected pages.
يحتوي مكون Coachific Shortcode للووردبريس على ثغرة Stored XSS في خاصية 'userhash' حيث يتم استخدام sanitize_text_field() الذي يزيل علامات HTML لكنه لا يهرب الأحرف المهمة في سياق سلسلة JavaScript. يتم إدراج القيمة المعالجة مباشرة في سلسلة JavaScript داخل علامة script بدون هروب خاص بـ JavaScript. يمكن للمهاجمين المصرح لهم على مستوى المساهم حقن برامج نصية ويب عشوائية تنفذ عند وصول المستخدمين إلى الصفحات المصابة.
The Coachific Shortcode WordPress plugin versions up to 1.0 contains a Stored Cross-Site Scripting vulnerability in the 'userhash' shortcode attribute due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access can inject arbitrary JavaScript that executes when users access affected pages.
Update the Coachific Shortcode plugin to a patched version beyond 1.0 immediately. Implement proper output escaping using wp_json_encode() or esc_js() for JavaScript context. Restrict Contributor-level permissions to trusted users only. Consider using Web Application Firewall rules to detect and block XSS payloads in shortcode attributes.
قم بتحديث مكون Coachific Shortcode إلى إصدار مصحح أحدث من 1.0 فوراً. طبق الهروب الصحيح للمخرجات باستخدام wp_json_encode() أو esc_js() لسياق JavaScript. قيد صلاحيات مستوى المساهم للمستخدمين الموثوقين فقط. فكر في استخدام قواعد جدار الحماية لتطبيقات الويب لكشف وحجب حمولات XSS في خصائص الاختصار.