Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report

Q: What exactly is vulnerable in Shortcodes Ultimate?

What exactly is vulnerable in Shortcodes Ultimate? The su_tooltip shortcode contained in versions 7.0.2 and earlier of the Shortcodes Ultimate plugin has an authenticated stored cross-site scripting (XSS) vulnerability. This shortcode displays text in a popup tooltip when users hover over content. Due to insufficient validation of attributes and tags, the shortcode allows contributors and authors to inject malicious scripts that get stored and execute whenever a affected page loads.

Q: How serious is this vulnerability?

How serious is this vulnerability? With a CVSS severity score of 6.4 out of 10, this vulnerability is considered medium severity but enables serious impacts such as full site takeovers, data theft, UI redressing for phishing, cryptojacking, and other attacks. The storage element means malicious scripts persist on pages. And while authentication is required, contributors are commonplace making exploitation likely against unaware victims.

Q: Could this vulnerability negatively impact my site?

Could this vulnerability negatively impact my site? Yes, if your site runs an affected version of Shortcodes Ultimate, you are at risk. The vulnerability provides an initial point of compromise for attackers to leverage in staging further attacks that could deface your site, steal login credentials and sensitive data from administrators and visitors, spam search engines with bad links to harm SEO, and otherwise damage user trust or lead to legal and regulatory problems in cases of data breaches.

Q: How do I know if my site is vulnerable or has been compromised?

How do I know if my site is vulnerable or has been compromised? Your site is vulnerable if running any Shortcodes Ultimate version up to and including 7.0.2. Update to 7.0.3 immediately. To check for compromise, look for unauthorized edits in files and databases, scan JavaScript for obfuscated or outright malicious looking code, and watch for sudden redirections or UI/UX changes unexplained by updates. If still unsure, professionals can conduct compromise assessments and carefully inspect everything.

Q: Should I just delete Shortcodes Ultimate and find an alternative?

Should I just delete Shortcodes Ultimate and find an alternative? Uninstalling the plugin prevents continued vulnerability exposure, but does not remove existing malicious code if already attacked, hence why compromise checks remain vital. Alternate shortcode plugins avoid this flaw but may harbor other bugs, making staying updated imperative no matter the replacement. For site integrity reasons, professional cleanup of malicious remnants often proves wise before installing anything new.

Q: What if I need Shortcodes Ultimate for my business site to function?

What if I need Shortcodes Ultimate for my business site to function? Understandable if you rely on custom shortcode features, especially with intricate site integration. In this case, updating to Shortcodes Ultimate 7.0.3 or higher will fully patch the vulnerability without losing functionality or triggering extensive regressions. We still advise compromise checks as attacking the flaw pre-patch remains possible. For peace of mind, additional hardening of WordPress permissions, folders, error reporting and more can further boost security.

Q: How do I actually update Shortcodes Ultimate properly?

How do I actually update Shortcodes Ultimate properly? Log into your WP dashboard, click "Plugins" on the left, click "Update" next to Shortcodes Ultimate, then click the minor version update likely prefixed with "Bug fixes and enhancements". Disable, test on a staging copy if possible, clear caches, check nothing breaks. Updating securely may require tweaking file/folder permissions after. If issues arise, experts can assist smooth, proper, restoration focused updates.

Q: I updated but the vulnerable version remains active, why?

I updated but the vulnerable version remains active, why? Sometimes plugin updates incorrectly leave old buggy copies active instead truly updating. Check the active plugin version shown matches the newest fixed release. If wrong, fully deleting Shortcodes Ultimate then reinstalling the latest files usually resolves this quirk. Conservative types might backup files beforehand. Refreshing dashboard and browser cache also helps. Still stuck? professionals can investigate and remove lingering vulnerable versions.

Q: My site was hacked through this flaw already, what now?

My site was hacked through this flaw already, what now? Immediately take the compromised site offline by renaming wp-config.php. Backup all files and databases safely for later inspection. Next secure clean reinstalls of WordPress core, themes and trusted plugins on a freshly setup web space. Update Shortcodes Ultimate on this secured copy last. Restore sanitized production content. Inspect backups to determine attack scope for disclosure duties if regulated. Experts aid safe restoration, vulnerability checks, removal of backdoors, providing legal/PR advice.

Q: How can I prevent this from happening again in the future?

How can I prevent this from happening again in the future? Beyond updating Shortcodes Ultimate, broadly strengthen WordPress security by enabling strong passwords, automatic background updates for core and plugins, restrictive file permissions on directories, disable file editing capabilities and error information leakage. Run trustworthy security plugins like Wordfence to continually check files. Contract reputable developers to implement application security standards and audit the entire architecture. Signup for monitoring services alerting you to vulnerabilities and attacks as they arise.

By Your WP Guy | February 19, 2024

Plugin Name: Shortcodes Ultimate

Key Information ormation:

Software Type: Plugin
Software Slug: shortcodes-ultimate
Software Status: Active
Software Author: gn_themes
Software Downloads: 18,644,577
Active Installs: 600,000
Last Updated: February 19, 2024
Patched Versions: 7.0.3
Affected Versions: <= 7.0.2

Vulnerability Details:

Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 7.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode
Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE: CVE-2024-1510
CVSS Score: 6.4 (Medium)
Publicly Published: February 19, 2024
Researcher: Richard Telleng
Description: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_tooltip shortcode in all versions up to, and including, 7.0.2 due to insufficient input sanitization and output escaping on user supplied attributes and user supplied tags. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Shortcodes Ultimate plugin for WordPress has an authenticated stored cross-site scripting vulnerability in versions up to and including 7.0.2 via the su_tooltip shortcode. This allows contributors and above to inject malicious scripts that execute when pages are viewed. The vulnerability has been patched in version 7.0.3.

Detailed Overview:

Researcher Richard Telleng disclosed an authenticated stored cross-site scripting vulnerability in the popular Shortcodes Ultimate WordPress plugin in versions through 7.0.2. The vulnerability exists in the plugin's su_tooltip shortcode due to insufficient input sanitization, allowing authenticated users with at least contributor permissions to supply malicious attributes or tags that could inject arbitrary browser scripts. These injected scripts will execute whenever a user views an affected page, potentially leading to compromised user accounts, site defacements, or further attacks. The plugin developers have patched this medium severity vulnerability in version 7.0.3. Site administrators are urged to update immediately.

Advice for Users:

Immediate Action: Update to Shortcodes Ultimate version 7.0.3 or higher to mitigate this vulnerability.
Check for Signs of Vulnerability: Review page source code and UI for unexpected scripts. Scan core files for unauthorized edits.
Alternate Plugins: Consider alternate shortcode manager plugins like Ultimate Addons for Gutenberg or Advanced Custom Fields.
Stay Updated: Enable auto-updates for plugins when available to receive vulnerability patches rapidly.

Conclusion:

Shortcodes Ultimate’s prompt patch availability underscores the importance of timely plugin updates. Users should update to version 7.0.3 as soon as possible to fully mitigate this vulnerability’s threat on WordPress site security.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/wp-shortcodes-plugin-shortcodes-ultimate-702-authenticated-contributor-stored-cross-site-scripting-via-su-tooltip-shortcode

Detailed Report:

Staying on top of website security is crucial in today's threat landscape. Unfortunately, many WordPress users fail to keep their sites updated, leaving dangerous vulnerabilities unpatched and ready for attackers to exploit. This was the case with a recently disclosed flaw in the popular Shortcodes Ultimate plugin which allowed authenticated users to inject malicious code into pages. While the plugin developers have now issued a patch, outdated sites remain at risk.

Shortcodes Ultimate is an extremely popular WordPress plugin installed on over 600,000 sites to easily add styled boxes, buttons, notifications, and other custom features using shortcodes. On February 19th, security researcher Richard Telleng disclosed a serious vulnerability affecting Shortcodes Ultimate versions up to and including 7.0.2.

The vulnerability exists in the plugin's su_tooltip shortcode, which displays a tooltip or popup text when users hover over specific content. Due to insufficient sanitization of attributes and tags in the shortcode, those with contributor access or higher could supply malicious scripts that would then persist and execute any time a victim viewed an affected page.

This stored cross-site scripting attack means compromised contributors could inject harmful JavaScript, redirect users to phishing pages, steal login cookies, or conduct other damaging actions against site administrators and visitors. The vulnerability provides the initial foothold needed for takeovers, data theft, black hat SEO spam, cryptojacking, and beyond.

While patched in version 7.0.3, sites running older plugin versions remain vulnerable and must immediately update. Additionally, owners should check files for unauthorized edits and scan JavaScript for anything suspicious. If site compromise is suspected, we highly recommend reaching out for expert remediation assistance.

Unfortunately, this marks the 17th vulnerability found in Shortcodes Ultimate since May of 2015. The consistent security issues underscore why plugins with vast feature sets tend to accrue more bugs over time. While the developers respond well to disclosed flaws, users cannot always rely on prompt fixes, making proactive version updates non-negotiable.

For site owners without dedicated technical staff, the endless parade of plugin vulnerabilities proves extremely daunting. We fully understand how security falls through the cracks when one's priority is keeping a business running smoothly. However, attacks through outdated WordPress sites remain an all too common and damaging occurrence. We urge users not to ignore warnings even if the technical details feel overwhelming at first glance.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report FAQs

What exactly is vulnerable in Shortcodes Ultimate?

The su_tooltip shortcode contained in versions 7.0.2 and earlier of the Shortcodes Ultimate plugin has an authenticated stored cross-site scripting (XSS) vulnerability. This shortcode displays text in a popup tooltip when users hover over content. Due to insufficient validation of attributes and tags, the shortcode allows contributors and authors to inject malicious scripts that get stored and execute whenever a affected page loads.

How serious is this vulnerability?

With a CVSS severity score of 6.4 out of 10, this vulnerability is considered medium severity but enables serious impacts such as full site takeovers, data theft, UI redressing for phishing, cryptojacking, and other attacks. The storage element means malicious scripts persist on pages. And while authentication is required, contributors are commonplace making exploitation likely against unaware victims.

Could this vulnerability negatively impact my site?

Yes, if your site runs an affected version of Shortcodes Ultimate, you are at risk. The vulnerability provides an initial point of compromise for attackers to leverage in staging further attacks that could deface your site, steal login credentials and sensitive data from administrators and visitors, spam search engines with bad links to harm SEO, and otherwise damage user trust or lead to legal and regulatory problems in cases of data breaches.

How do I know if my site is vulnerable or has been compromised?

Your site is vulnerable if running any Shortcodes Ultimate version up to and including 7.0.2. Update to 7.0.3 immediately. To check for compromise, look for unauthorized edits in files and databases, scan JavaScript for obfuscated or outright malicious looking code, and watch for sudden redirections or UI/UX changes unexplained by updates. If still unsure, professionals can conduct compromise assessments and carefully inspect everything.

Should I just delete Shortcodes Ultimate and find an alternative?

Uninstalling the plugin prevents continued vulnerability exposure, but does not remove existing malicious code if already attacked, hence why compromise checks remain vital. Alternate shortcode plugins avoid this flaw but may harbor other bugs, making staying updated imperative no matter the replacement. For site integrity reasons, professional cleanup of malicious remnants often proves wise before installing anything new.

What if I need Shortcodes Ultimate for my business site to function?

Understandable if you rely on custom shortcode features, especially with intricate site integration. In this case, updating to Shortcodes Ultimate 7.0.3 or higher will fully patch the vulnerability without losing functionality or triggering extensive regressions. We still advise compromise checks as attacking the flaw pre-patch remains possible. For peace of mind, additional hardening of WordPress permissions, folders, error reporting and more can further boost security.

How do I actually update Shortcodes Ultimate properly?

Log into your WP dashboard, click "Plugins" on the left, click "Update" next to Shortcodes Ultimate, then click the minor version update likely prefixed with "Bug fixes and enhancements". Disable, test on a staging copy if possible, clear caches, check nothing breaks. Updating securely may require tweaking file/folder permissions after. If issues arise, experts can assist smooth, proper, restoration focused updates.

I updated but the vulnerable version remains active, why?

Sometimes plugin updates incorrectly leave old buggy copies active instead truly updating. Check the active plugin version shown matches the newest fixed release. If wrong, fully deleting Shortcodes Ultimate then reinstalling the latest files usually resolves this quirk. Conservative types might backup files beforehand. Refreshing dashboard and browser cache also helps. Still stuck? professionals can investigate and remove lingering vulnerable versions.

My site was hacked through this flaw already, what now?

Immediately take the compromised site offline by renaming wp-config.php. Backup all files and databases safely for later inspection. Next secure clean reinstalls of WordPress core, themes and trusted plugins on a freshly setup web space. Update Shortcodes Ultimate on this secured copy last. Restore sanitized production content. Inspect backups to determine attack scope for disclosure duties if regulated. Experts aid safe restoration, vulnerability checks, removal of backdoors, providing legal/PR advice.

How can I prevent this from happening again in the future?

Beyond updating Shortcodes Ultimate, broadly strengthen WordPress security by enabling strong passwords, automatic background updates for core and plugins, restrictive file permissions on directories, disable file editing capabilities and error information leakage. Run trustworthy security plugins like Wordfence to continually check files. Contract reputable developers to implement application security standards and audit the entire architecture. Signup for monitoring services alerting you to vulnerabilities and attacks as they arise.

Share this post:

X (Twitter) Facebook Pinterest LinkedIn Email Reddit WhatsApp Pocket SMS

Posted in Security, Vulnerabilities and tagged Cross-Site Scripting, cve-2024-1510, securing wordpress, Security Hygiene., Shortcodes Ultimate, shortcodes ultimate security flaw, shortcodes ultimate xss, stored XSS, web security patching, Website Maintenance, Website Security, website updates, WordPress plugin vulnerability, wordpress security

Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report

Plugin Name: Shortcodes Ultimate

Key Information ormation:

Vulnerability Details:

Summary:

Detailed Overview:

Advice for Users:

Conclusion:

References:

Detailed Report:

Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report FAQs

What exactly is vulnerable in Shortcodes Ultimate?

What exactly is vulnerable in Shortcodes Ultimate?

How serious is this vulnerability?

How serious is this vulnerability?

Could this vulnerability negatively impact my site?

Could this vulnerability negatively impact my site?

How do I know if my site is vulnerable or has been compromised?

How do I know if my site is vulnerable or has been compromised?

Should I just delete Shortcodes Ultimate and find an alternative?

Should I just delete Shortcodes Ultimate and find an alternative?

What if I need Shortcodes Ultimate for my business site to function?

What if I need Shortcodes Ultimate for my business site to function?

How do I actually update Shortcodes Ultimate properly?

How do I actually update Shortcodes Ultimate properly?

I updated but the vulnerable version remains active, why?

I updated but the vulnerable version remains active, why?

My site was hacked through this flaw already, what now?

My site was hacked through this flaw already, what now?

How can I prevent this from happening again in the future?

How can I prevent this from happening again in the future?

Share this post:

Leave a Comment Cancel Reply

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy