Passster WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Passster – Password Protect Pages and Content plugin for WordPress, affecting all versions through 4.2.24. The vulnerability arises from the 'content_protector' shortcode, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary scripts into pages. These scripts execute when users access the compromised pages. Although version 4.2.21 partially addressed this issue, it remains a concern in earlier versions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the 'content_protector' shortcode to inject scripts into pages. Once the scripts are injected, they will execute when the page is accessed by any user.

Remediation

Users are advised to update the Passster – Password Protect Pages and Content plugin to version 4.2.25 or later.