The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Authenticated attackers with contributor-level access can inject malicious JavaScript into WordPress websites using the StreamWeasels Kick Integration plugin, leading to Stored Cross-Site Scripting (XSS). This allows attackers to execute arbitrary code in visitors' browsers, potentially leading to account compromise, data theft, or website defacement. The vulnerability affects all versions of the plugin up to and including 1.1.4.
Step 1: Authentication: The attacker logs into the WordPress website with contributor-level or higher privileges.
Step 2: Payload Injection: The attacker crafts a malicious JavaScript payload (e.g., <script>alert('XSS')</script>) and injects it into the 'data-uuid' attribute of a Kick Integration element within a post or page. This can be done through the WordPress editor.
Step 3: Data Storage: The injected payload, along with the other post/page content, is saved in the WordPress database.
Step 4: Page Rendering: When a user views the post or page containing the malicious Kick Integration element, the plugin retrieves the 'data-uuid' attribute from the database.
Step 5: Code Execution: The plugin renders the 'data-uuid' attribute in the HTML without proper escaping. The browser interprets the injected JavaScript payload and executes it, triggering the XSS vulnerability.
The vulnerability stems from a lack of proper input sanitization and output escaping within the StreamWeasels Kick Integration plugin, specifically concerning the handling of the 'data-uuid' attribute. The plugin fails to validate or sanitize user-supplied input before storing it in the database and subsequently rendering it on web pages. This allows attackers to inject malicious JavaScript code within the 'data-uuid' attribute. When a user accesses a page containing the injected code, the browser executes the JavaScript, leading to XSS. The root cause is a missing or inadequate implementation of security best practices for handling user-supplied data within the plugin's code, specifically the failure to properly escape the data before outputting it to the HTML.