Skip to content

Instantly share code, notes, and snippets.


sybrew/email.txt Secret

Created Dec 19, 2019
What would you like to do?
Email to about Donorbox
Hello Plugin Team!
Stored XSS via the shortcode by creating arbitrary attributes. It only requires privileges to store shortcodes. When shortcodes are running in comments, unauthorized visitors can craft the payload.
When XSS protection is enabled on the server, this has no effect.
Vulnerable line:
PoC snippet:
[donate url='/\?\" autofocus onfocus=\"alert(window)\" abitraryAttributeToValidateShortcodeParsing=\"']
onLoad may or may not work, because there’s a script that the plugin outputs which overrides that attribute. ‘onfocus=’ combined with ‘autofocus’ seems to do the trick ;)
Before $campaign_id is echo’d, run this:
$campaign_id = esc_attr( $campaign_id );
Kind regards,
Sybre Waaijer
Copy link

sybrew commented Dec 19, 2019

Once the plugin's vulnerability is addressed (i.e., plugin is updated to 7.1.2), the exploited shortcode will no longer be effective.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment