Info Cards WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Info Cards – Add Text and Media in Card Layouts plugin for WordPress, affecting all versions through 2.0.7. The issue arises from inadequate input validation on URL schemes, particularly the absence of filtering for 'javascript:' protocols. When the Info Cards block is rendered, all attributes are passed as JSON to the frontend via a data-attributes HTML attribute. This method, while preventing direct HTML attribute injection, fails to validate URL protocols within the JSON data. Consequently, the client-side script renders the 'btnUrl' value directly as an href attribute on anchor elements without any protocol sanitization. This flaw allows authenticated attackers with Contributor-level access or higher to inject 'javascript:' URLs that execute arbitrary scripts when the user clicks the corresponding button link.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can add an Info Cards block and inject a 'javascript:' URL into the 'btnUrl' parameter. Once the card is saved and viewed, the injected script will execute when the button is clicked.

Remediation

Users are advised to update the Info Cards WordPress plugin to version 2.0.8 or later.