The Cross-Site Scripting (XSS) vulnerability patched in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites.

The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

Technical Analysis

PowerPress is a plugin that allows WordPress users to publish and manage podcasts. It provides a shortcode ([powerpress]) that allows users to display the PowerPress player on a WordPress page. However, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. A closer examination of the code reveals that the ‘powerpress_shortcode_handler’ function did not adequately sanitize user-supplied input and a number of functions (for various podcast player options) that utilize the shortcode attributes did not adequately escape output

Buy Me A Coffee
The powerpress_shortcode_handler function
The powerpress_shortcode_handler function
The powerpress_generate_embed function creates an iframe using unescaped shortcode attributes.

This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected, it will execute each time a user accesses the affected page. Threat actors could potentially steal sensitive information, manipulate site content, or redirect users to malicious websites.

We encourage WordPress users to verify that their sites are updated to the latest patched version of PowerPress.

CERT-In Finds Multiple Bugs in Google Chrome, SAP Products