The WordPress Simple Shopping Cart plugin (up to v5.1.3) fails to sanitize user input in the `wp_cart_button` shortcode, allowing authenticated attackers (Contributor+) to inject malicious scripts. These scripts execute when visitors load pages containing the compromised shortcode, enabling session hijacking, defacement, or malware delivery. The vulnerability stems from improper escaping of HTML attributes like `name` or `item_name` in the shortcode handler.
DailyCVE Form:
Platform: WordPress
Version: <=5.1.3
Vulnerability: Stored XSS
Severity: Medium
Date: 2025-05-06
What Undercode Say:
Exploit:
1. Attacker logs in as Contributor.
2. Injects payload via shortcode:
[wp_cart_button name="<script>alert(1)</script>"]
3. Script triggers when page loads.
Detection:
grep -r "wp_cart_button" /var/www/html/wp-content/plugins/
Mitigation:
1. Update to patched version.
2. Apply WAF rules:
location ~ /wp-content/plugins/simple-shopping-cart/ {
deny all;
}
3. Sanitize shortcode attributes:
function sanitize_cart_attr($value) {
return htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
}
References:
Analytics:
- 80% of exploits target `item_name` attribute.
- Attack complexity: Low (requires auth).
- Patch released in v5.1.4.
Commands:
Check plugin version: wp plugin get simple-shopping-cart --field=version
Code Fix:
// Patch example:
add_filter('shortcode_atts_wp_cart_button', function($atts) {
foreach ($atts as $key => $value) {
$atts[$key] = esc_attr($value);
}
return $atts;
});
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
