CVE-2023-5704 - Stored XSS Vulnerability in CPO Shortcodes Plugin for WordPress – How It Works, Exploit Demo, and Solutions

In late 2023, a major security flaw was uncovered in a widely used WordPress plugin named CPO Shortcodes (by Macho Themes), exposing hundreds of thousands of sites to the risk of Stored Cross-Site Scripting (XSS). The vulnerability, tracked as CVE-2023-5704, affects all plugin versions up to and including 1.5..

If you use this plugin, it’s crucial to understand the risk and take immediate action.

What is CVE-2023-5704?

This CVE refers to a Stored Cross-Site Scripting vulnerability in the CPO Shortcodes plugin. The bug is simple yet dangerous: the plugin does not properly check or clean user input in its shortcodes. This means an attacker with the right access (at least a contributor role) can inject malicious scripts that execute whenever someone views the affected page.

Contributors are trusted to write posts but shouldn’t be able to run code—but this bug lets them.

Why does this matter?

Stored XSS is extra nasty because malicious code is permanently stored on your website (in posts or pages). Any user who views the compromised content gets hit, including site admins.

Technical Root

The CPO Shortcodes plugin includes multiple shortcodes for client testimonials, portfolios, custom boxes, and more. When a contributor creates a post or a page, they can use shortcodes like [cpo_testimonial], [cpo_box], etc., which accept various “attributes.”

These attributes should be filtered and escaped. Instead, the plugin just outputs them directly on the page, raw.

Example vulnerable code

<?php
// Example from plugin: renders 'title' attribute unchecked!
function cpo_box_shortcode($atts, $content = null) {
    $title = $atts['title']; // NO SANITIZATION!
    return "<div class='cpo-box'><h3>$title</h3><p>$content</p></div>";
}
?>

If a contributor enters this as a post content

[cpo_box title="<script>alert('XSS!')</script>"]Malicious content[/cpo_box]

Visitors will see an alert box, meaning the browser executed the attacker's JavaScript.

`

[cpo_box title="

"]This is a test[/cpo_box]

Visit the post page as any user (admin, visitor, etc). The JavaScript code executes immediately.

*Any Javascript can be injected, including session stealers, browser redirects, and malicious overlays.*

Responsible Disclosure & References

- Discovered by: Wordfence
- CVE Record: NIST CVE-2023-5704
- Patch Status: *As of the publication of this article, no official patch is available. Users are encouraged to disable the plugin or use a web application firewall (WAF).*

Restrict Permissions: Limit contributor creation and review all their posts before publishing.

- Install a Firewall: Tools like Wordfence or Sucuri catch XSS.

Conclusion

CVE-2023-5704 is a dangerous bug because it allows trusted users to inject persistent attacks into your site. If you manage a WordPress installation with CPO Shortcodes installed (version 1.5. or older), you must act now. Keep all plugins updated, restrict contributor roles, and ensure all input is sanitized.

Further Reading

- Wordfence vulnerability report
- Official plugin page
- OWASP XSS Overview

Timeline

Published on: 11/22/2023 16:15:14 UTC
Last modified on: 11/28/2023 19:22:32 UTC