During testing of the Tabs Shortcode and Widget plugin for WordPress, a security vulnerability was discovered that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability arises from the plugin’s failure to properly validate and escape some of its shortcode attributes before outputting them back in a page or post where the shortcode is embedded. As a result, users with the contributor role and above can exploit this flaw to execute malicious scripts, potentially leading to account takeover and compromise of the website.

Main info:

PluginTabs Shortcode and Widget <= 1.17
All Time52 187
Active installations2 000+
Publicly PublishedFebruary 20, 2023
Last UpdatedFebruary 20, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A7: Cross-Site Scripting (XSS)
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0719
Plugin Security Certification by CleanTalk


January 9, 2023Plugin testing and vulnerability detection in the Tabs Shortcode and Widget have been completed
January 9, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
February 20, 2023Registered CVE-2024-0719

Discovery of the Vulnerability

In the process of testing the plugin, a vulnerability was found that allows you to implement Stored XSS on behalf of the contributor by embedding the shortcode in a new post, which entails account takeover

Understanding of Stored XSS attack’s

Stored XSS vulnerabilities via shortcode occur when user-supplied input within shortcode attributes is not properly sanitized before being rendered on the front-end of a WordPress website. This allows attackers to inject malicious scripts into the shortcode attributes, which are then executed when the shortcode is rendered on a page or post. Real examples of this vulnerability include embedding malicious JavaScript code within shortcode attributes such as title, content, or custom parameters, leading to the execution of arbitrary scripts in the context of other users’ sessions.

Exploiting the Stored XSS Vulnerability

To exploit the CVE-2024-0719 vulnerability in the Tabs Shortcode and Widget plugin, an attacker with the contributor role or above can create a new post or page and embed the malicious shortcode containing the XSS payload. The payload is designed to execute arbitrary JavaScript code when the page or post is viewed by other users. By leveraging this vulnerability, an attacker can potentially hijack user sessions, steal authentication tokens, and perform unauthorized actions on behalf of other users.

POC shortcode:

  1. [otw_shortcode_tabslayout tabs=”2″ title=”234″ tab_1_title=”34″ tab_1_icon_url=”http://123″ tab_1_content=”23″ tab_2_title=”123″ tab_2_icon_type=”general foundicon-page” tab_2_icon_url=”123″ tab_2_content=”123″ css_class='” onmouseover=”alert(/XSS/)”‘ css_id='” onmouseover=”alert(/XSS/)”‘][/otw_shortcode_tabslayout]


The CVE-2024-0719 vulnerability poses a significant risk to WordPress websites and their users. In real-world scenarios, attackers can exploit this vulnerability to perform a wide range of malicious activities, including but not limited to:

  • Theft of sensitive information such as user credentials, session tokens, and personal data.
  • Defacement of website content by injecting malicious scripts or content into posts or pages.
  • Distribution of malware or phishing content to unsuspecting website visitors.
  • Hijacking user sessions to perform unauthorized actions on behalf of authenticated users, such as modifying account settings, posting malicious content, or initiating financial transactions.

Recommendations for Improved Security

To mitigate the risk associated with CVE-2024-0719 and similar vulnerabilities related to Stored XSS via shortcode, the following recommendations are provided:

  • Implement strict input validation and output escaping in all WordPress plugins and themes to prevent XSS attacks, especially within shortcode attributes.
  • Educate developers about secure coding practices, including the importance of sanitizing user input and properly escaping output, particularly in the context of shortcode attributes.
  • Regularly audit and review code for vulnerabilities, including XSS vulnerabilities, as part of the development process.
  • Consider using security plugins or web application firewalls (WAFs) to monitor and block XSS attacks and other malicious activity.
  • Stay informed about emerging security threats and best practices in WordPress security by participating in security communities and following reputable security resources.

By following these recommendations, website administrators can strengthen the security of their WordPress websites and reduce the risk of exploitation through Stored XSS vulnerabilities in plugins like Tabs Shortcode and Widget.

#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability

Use CleanTalk solutions to improve the security of your website


Create your CleanTalk account

By signing up, you agree with license. Have an account? Log in.
CVE-2024-0719 – Tabs Shortcode and Widget – Contributor+ Stored XSS via shortcode – POC

Leave a Reply

Your email address will not be published. Required fields are marked *