The Formality plugin for WordPress (versions ≤1.5.8) fails to sanitize the `align` parameter, allowing authenticated attackers (Contributor+) to inject malicious scripts. These scripts persist in pages and execute when visited, enabling session hijacking, defacement, or malware delivery. The vulnerability stems from insecure rendering of user-supplied input in the block editor.
DailyCVE Form:
Platform: WordPress
Version: ≤1.5.8
Vulnerability: Stored XSS
Severity: Medium
Date: 05/06/2025
What Undercode Say:
Exploit:
1. Attacker logs in as Contributor.
- Crafts a post with malicious payload in
align:[formality align="left\" onload=alert(document.cookie)//"]
3. Saves post; script triggers on page view.
Detection:
Scan for unescaped `align` attributes in Formality blocks:
SELECT FROM wp_posts WHERE post_content LIKE '%align=%"%>%';
Mitigation:
1. Update to Formality >1.5.8.
2. Apply WordPress CSP headers:
Header set Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'"
3. Sanitize input via hook:
add_filter('render_block_formality', function($content) {
return wp_kses_post($content);
});
Tooling:
- WPScan command:
wpscan --url TARGET --plugins formality --vuln-db
- Burp Suite match/replace rule to strip `on` attributes.
Indicators:
- Unusual `align` values in
wp_postmeta. - POST requests to `/wp-admin/post.php` with script fragments.
Patch Diff:
- echo ' < div align="' . $attrs['align'] . '">'; + echo ' < div align="' . esc_attr($attrs['align']) . '">';
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
