sybrew/email.txt Secret

## email.txt
Hello W.org Plugin Team!

Plugin:
https://wordpress.org/plugins/donorbox-donation-form/

Vulnerability:
Stored XSS via the shortcode by creating arbitrary attributes. It only requires privileges to store shortcodes. When shortcodes are running in comments, unauthorized visitors can craft the payload.
When XSS protection is enabled on the server, this has no effect.

Vulnerable line: https://plugins.trac.wordpress.org/browser/donorbox-donation-form/trunk/donorbox_embed_campaign.php#L153

PoC snippet:
[donate url='/\?\" autofocus onfocus=\"alert(window)\" abitraryAttributeToValidateShortcodeParsing=\"']

onLoad may or may not work, because there’s a script that the plugin outputs which overrides that attribute. ‘onfocus=’ combined with ‘autofocus’ seems to do the trick ;)

Solution:
Before $campaign_id is echo’d, run this:
$campaign_id = esc_attr( $campaign_id );

Kind regards,
Sybre Waaijer
	Hello W.org Plugin Team!

	Plugin:
	https://wordpress.org/plugins/donorbox-donation-form/

	Vulnerability:
	Stored XSS via the shortcode by creating arbitrary attributes. It only requires privileges to store shortcodes. When shortcodes are running in comments, unauthorized visitors can craft the payload.
	When XSS protection is enabled on the server, this has no effect.

	Vulnerable line: https://plugins.trac.wordpress.org/browser/donorbox-donation-form/trunk/donorbox_embed_campaign.php#L153

	PoC snippet:
	[donate url='/\?\" autofocus onfocus=\"alert(window)\" abitraryAttributeToValidateShortcodeParsing=\"']

	onLoad may or may not work, because there’s a script that the plugin outputs which overrides that attribute. ‘onfocus=’ combined with ‘autofocus’ seems to do the trick ;)

	Solution:
	Before $campaign_id is echo’d, run this:
	$campaign_id = esc_attr( $campaign_id );

	Kind regards,
	Sybre Waaijer