WordPress Plugin Vulnerability Report – Shortcodes Ultimate – Authenticated (Contributor+) Stored Cross-Site Scripting & Insecure Direct Object Reference to Information Disclosure – CVE-2023-6225 & CVE-2023-6226

Plugin Name: Shortcodes Ultimate

Key Information:

  • Software Type: Plugin
  • Software Slug: shortcodes-ultimate
  • Software Status: Active
  • Software Author: gn_themes
  • Software Downloads: 17,874,399
  • Active Installs: 600,000
  • Last Updated: November 27, 2023
  • Patched Versions: 7.0.0
  • Affected Versions: <= 5.13.3

Vulnerability 1 Details:

  • Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-6225
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: November 27, 2023
  • Researcher: Francesco Carlucci
  • Description: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_meta shortcode combined with post meta data in all versions up to, and including, 5.13.3 due to insufficient input sanitization and output escaping on user supplied meta values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Vulnerability 2 Details:

  • Name: WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Insecure Direct Object Reference to Information Disclosure
  • Title: Insecure Direct Object Reference to Information Disclosure
  • Type: Authorization Bypass Through User-Controlled Key
  • CVE: CVE-2023-6226
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: November 27, 2023
  • Researcher: 4.3 (Medium)
  • Description: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin.

Summary:

The Shortcodes Ultimate plugin for WordPress has vulnerabilities in versions up to and including 5.13.3 that enable authenticated stored cross-site scripting and insecure direct object reference to information disclosure. These vulnerabilities have been patched in version 7.0.0.

Detailed Overview:

The first vulnerability (CVE-2023-6225) is due to insufficient input sanitization and output escaping on user supplied meta values passed to the su_meta shortcode. This allows attackers with contributor-level access or higher to inject arbitrary JavaScript that will execute when pages containing the payload are viewed by victims.

The second vulnerability (CVE-2023-6226) is caused by missing access controls on the su_meta shortcode's key and post_id parameters. By manipulating these values, authenticated users can retrieve sensitive information from arbitrary posts. This could expose private data when combined with certain other plugins.

Together, these flaws enable a range of attacks from stored XSS to information exposure. All users are advised to update to version 7.0.0 or higher as soon as possible.

Advice for Users:

  1. Immediate Action: Update to the latest patched release, version 7.0.0, as soon as possible.
  2. Check for Signs of Vulnerability: Review your site for unexpected JavaScript or HTML output which could signal an attack. Also check for unauthorized access in your content.
  3. Alternate Plugins: Consider using an alternate shortcodes plugin as a precaution until you can fully update.
  4. Stay Updated: Always keep your plugins updated to avoid vulnerabilities.

Conclusion:

The quick response by the developers to address these stored XSS and information disclosure flaws shows the importance of rapid patching. Shortcodes Ultimate users should upgrade to version 7.0.0 or higher immediately to protect their sites.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/wp-shortcodes-plugin-shortcodes-ultimate-5133-authenticated-contributor-stored-cross-site-scripting

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shortcodes-ultimate/wp-shortcodes-plugin-shortcodes-ultimate-5133-insecure-direct-object-reference-to-information-disclosure

Detailed Report:

Do you have the popular Shortcodes Ultimate plugin installed on your WordPress website? If so, your site may be vulnerable to attacks. A recently publicized flaw in the plugin allows hackers access to take over admin controls, steal sensitive data, and deface all content. This plugin alone provides an open door for malicious actors due to insufficient security protections. Unfortunately, keeping WordPress and its plugins updated against the latest threats takes precious time small business owners rarely have. But leaving your online presence compromised can lead to irreparable damage. We urge you — secure your website now before it’s too late.

Shortcodes Ultimate has over 17 million downloads and powers 600,000 sites with enhanced formatting via shortcodes. However, the plugin contained cross-site scripting and information disclosure vulnerabilities in versions up to and including 5.13.3. The flaws enable authenticated users, like a staff contributor, to inject malicious JavaScript as well as view private post meta information. Attackers can leverage these access points to drop malware, take over admin accounts, alter content, or steal sensitive data.

While Shortcodes Ultimate patched the vulnerabilities in version 7.0.0, most users have likely not yet updated. The plugin has faced over 13 previous vulnerabilities providing hackers an easy target. Failure to update promptly leaves your site open not just to these recent threats, but potential new issues arising at any time.

If your business relies on its WordPress site, waiting to address vulnerabilities until after an attack strikes can have devastating consequences. You could face system downtime, loss of revenue, breach of customer data, tarnished reputation, and exorbitant recovery costs. We highly recommend immediately updating Shortcodes Ultimate to the latest 7.0.0 version. Scan for any signs of compromise like unexpected admin changes, JavaScript injections, or content alterations. If your site was already impacted, a security professional can fully clean any malware or backdoors.

Making time upfront to maintain updates for WordPress, associated plugins and themes can seem overly burdensome for small business owners. But it pales in comparison to the fallout of a debilitating breach. Work with a managed hosting provider or specialized WordPress security firm to ensure software stays updated. The latest flaws serve as an urgent reminder to lock down any open doors. Don’t leave your online business vulnerable any longer. Protect against web-based threats now and gain peace of mind knowing your website is secure.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – Shortcodes Ultimate – Authenticated (Contributor+) Stored Cross-Site Scripting & Insecure Direct Object Reference to Information Disclosure – CVE-2023-6225 & CVE-2023-6226 FAQs

Leave a Comment