The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk_block_shortcode() function, the 'class' attribute is extracted from user-controllable shortcode attributes and directly concatenated into an HTML div element's class attribute without any escaping (e.g., esc_attr()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WPMK Block WordPress plugin versions up to 1.0.1 contain a Stored Cross-Site Scripting vulnerability in the 'class' shortcode attribute due to insufficient input sanitization. Authenticated attackers with Contributor access can inject malicious scripts that execute when users view affected pages.
ثغرة XSS المخزنة في إضافة WPMK Block للووردبريس تسمح للمهاجمين المصرح لهم بمستوى المساهم فما فوق بحقن رموز ويب عشوائية عبر سمة class في الرموز المختصرة. تحدث الثغرة بسبب عدم كفاية تنقية المدخلات والتحقق من المخرجات في دالة wpmk_block_shortcode().
The WPMK Block WordPress plugin versions up to 1.0.1 contain a Stored Cross-Site Scripting vulnerability in the 'class' shortcode attribute due to insufficient input sanitization. Authenticated attackers with Contributor access can inject malicious scripts that execute when users view affected pages.
Update WPMK Block plugin to version 1.0.2 or later immediately. Implement proper input sanitization using sanitize_text_field() and output escaping using esc_attr() for all shortcode attributes. Restrict Contributor-level permissions to trusted users only and monitor for suspicious shortcode usage in page content.
قم بتحديث إضافة WPMK Block إلى الإصدار 1.0.2 أو أحدث فوراً. طبق تنقية المدخلات الصحيحة باستخدام sanitize_text_field() وتجنب المخرجات باستخدام esc_attr() لجميع سمات الرموز المختصرة. قيد صلاحيات مستوى المساهم للمستخدمين الموثوقين فقط ومراقبة الاستخدام المريب للرموز المختصرة في محتوى الصفحات.