Debt.com Business in a Box Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Debt.com Business in a Box plugin for WordPress, affecting all versions through 4.1.0. The issue arises in the 'configuration' parameter of the lead_form shortcode, where inadequate input sanitization and output escaping allow authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. These scripts are executed when a user accesses the compromised page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject scripts through the 'configuration' parameter of the lead_form shortcode. The injected scripts will be executed when the page is accessed by a user.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.