Structured Content WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Structured Content (JSON-LD) WordPress plugin, affecting versions prior to 1.7.0. The issue arises because the plugin fails to properly validate and escape certain block options before rendering them on a page or post. This flaw allows users with a contributor role or higher to inject malicious scripts that are executed when the content is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, switch to a user role of Contributor or higher. Create a new post and select the Structured Content plugin. Choose the FAQ block and enter a payload, such as a script injection, into the Additional CSS class(es) field. Preview the post to see the cross-site scripting in action.

Remediation

Users are advised to update the Structured Content WordPress plugin to version 1.7.0 or later.