Scoreboard for HTML5 Games Lite Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Scoreboard for HTML5 Games Lite plugin for WordPress, affecting all versions through 1.2. The vulnerability arises in the 'scoreboard' shortcode, where the shortcode function sfhg_shortcode() permits the inclusion of arbitrary HTML attributes in the rendered <iframe> element. Although a limited blacklist of four attribute names is enforced, this does not effectively block the injection of JavaScript event handler attributes. As a result, authenticated attackers with Contributor-level access or higher can inject malicious scripts that execute when users access the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access can create a post or page and use the 'scoreboard' shortcode. The user can include JavaScript event handler attributes, such as 'onmouseover' or 'onfocus', which will not be sanitized properly. Once the post is published, the injected script will execute when the page is viewed.

Remediation

Users are advised to update the Scoreboard for HTML5 Games Lite plugin to version 1.3 or later, where this vulnerability has been patched.