WordPress Plugin Netroics Blog Posts Grid Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WordPress Plugin Netroics Blog Posts Grid, version 1.0. This vulnerability allows authenticated editors to inject malicious scripts by exploiting the post_title parameter, which is not properly sanitized. The injected scripts can execute in the browsers of other users who view the draft post, potentially leading to cookie theft and session hijacking.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the post.

Reproduction

To reproduce this vulnerability, log in as an editor and create a new testimonial. Inject a script payload into the title field, which corresponds to the post_title parameter. After saving the draft, the injected script will execute when the post is previewed by another editor or admin.