The Taxonomy Chain Menu plugin (≤1.0.8) for WordPress fails to sanitize user-supplied attributes in the `pn_chain_menu` shortcode, enabling authenticated attackers (Contributor+) to inject malicious scripts. These scripts persist in the database and execute when visitors load compromised pages. The vulnerability stems from improper output escaping, allowing JavaScript payloads via crafted shortcode attributes like `class` or id. Attackers can hijack sessions, deface sites, or redirect users.
DailyCVE Form:
Platform: WordPress
Version: ≤1.0.8
Vulnerability: Stored XSS
Severity: High
Date: 2025-05-06
What Undercode Say:
Exploit:
[pn_chain_menu class="<script>alert(document.cookie)</script>"]
Detection:
grep -r "pn_chain_menu" /var/www/html/wp-content/plugins/
Mitigation:
1. Update to patched version.
2. Apply WAF rules:
location ~ /wp-content/plugins/taxonomy-chain-menu/ {
deny all;
}
3. Sanitize shortcode attributes:
add_filter('shortcode_atts_pn_chain_menu', function($atts) {
return array_map('esc_attr', $atts);
});
4. Database cleanup:
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content, 'pn_chain_menu [^]]script[^]]', '') WHERE post_content LIKE '%pn_chain_menu%';
Log Analysis:
tail -f /var/log/apache2/access.log | grep -E "POST.wp-admin/post.php"
References:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
