Inspiro Pro < 7.2.3 - Contributor+ Stored Cross-Site Scripting

Description

The plugin does not sanitize the portfolio slider description, allowing users with privileges as low as Contributor to inject JavaScript into the description.

Proof of Concept

Steps to reproduce:
1) As a Contributor, go to portfolio on the dashboard and add new item.
2) on the editing page that comes up, scroll down to the slider section
3) Add the payload in the description area. "<img src=1 onerror=alert('xss')>"
4) save and preview the item and watch the script trigger.
5)login as an administrator or editor and also preview the created portfolio item and the script gets triggered 

Source: https://wpscan.com/vulnerability/dd6ebf6b-209b-437c-9fe4-527ab9e3b9e3

Posted in Updates.