On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.
We contacted Blubrry on April 6, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on April 10, 2023. We commend the PowerPress development team for their swift response and timely patch release.
We urge users to update their sites with the latest patched version of PowerPress, version 10.0.4 at the time of this writing, as soon as possible.
Technical Analysis
PowerPress is a plugin that allows WordPress users to publish and manage podcasts. It provides a shortcode ([powerpress]) that allows users to display the PowerPress player on a WordPress page. However, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. A closer examination of the code reveals that the ‘powerpress_shortcode_handler’ function did not adequately sanitize user-supplied input and a number of functions (for various podcast player options) that utilize the shortcode attributes did not adequately escape output.
This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected, it will execute each time a user accesses the affected page. Threat actors could potentially steal sensitive information, manipulate site content, or redirect users to malicious websites.
Source and more details: https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stored-xss-vulnerability-in-powerpress-wordpress-plugin