Rich Shortcodes for Google Reviews Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Rich Shortcodes for Google Reviews WordPress plugin, affecting versions through 6.8. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages, which are executed when users access the affected pages. The issue arises from inadequate input sanitization and output escaping, particularly concerning the contents of Google Reviews. Although this vulnerability was partially addressed in version 6.6.2, it remains a concern in versions 6.8 and earlier.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, upload a Google Review containing a script injection via the WordPress admin panel. Once the review is published, the injected script will execute when the review is viewed on the site.

Remediation

Users are advised to update the Rich Shortcodes for Google Reviews plugin to version 6.8.1 or a newer patched version.