Executive Summary

The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) through its `myqtip` shortcode in all versions up to and including 2.0.5.

This vulnerability arises because the plugin does not properly sanitize or escape user-supplied attributes, specifically the `title` attribute in the shortcode.

As a result, authenticated users with contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user views the affected page.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with contributor-level access or above to inject malicious scripts into WordPress pages.

When other users visit these pages, the injected scripts execute in their browsers, potentially leading to theft of user credentials, session hijacking, or other malicious actions.

Because the vulnerability is a Stored Cross-Site Scripting flaw, the malicious code persists on the site and affects all visitors to the compromised pages.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by searching for the presence of the vulnerable shortcode `[myqtip]` in WordPress posts or pages, especially those created or edited by users with contributor-level access or higher.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves stored Cross-Site Scripting via the `title` attribute of the shortcode, you can look for suspicious or unexpected script tags or JavaScript code embedded within the `title` attribute of the shortcode.'}, {'type': 'paragraph', 'content': 'Commands to detect this might include searching the WordPress database for instances of the `[myqtip]` shortcode with potentially malicious content. For example, using SQL queries on the WordPress posts table:'}, {'type': 'list_item', 'content': "SELECT ID, post_title, post_content FROM wp_posts WHERE post_content LIKE '%[myqtip%';"}, {'type': 'list_item', 'content': 'Then manually inspect the `post_content` field for suspicious JavaScript or HTML injected in the `title` attribute.'}, {'type': 'paragraph', 'content': 'Additionally, you can use command-line tools like grep to scan exported content or backups for the shortcode usage:'}, {'type': 'list_item', 'content': "grep -r '\\[myqtip' /path/to/wordpress/wp-content/"}, {'type': 'paragraph', 'content': 'Network detection is less straightforward since this is a stored XSS vulnerability triggered by user interaction with the injected page, but monitoring for unusual script execution or alerts from web application firewalls when pages containing the shortcode are accessed could help.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation steps include:

• Update the MyQtip – easy qTip2 plugin to a version later than 2.0.5 where the vulnerability is fixed.
• If an update is not immediately available, disable or remove the plugin to prevent exploitation.
• Restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated access at contributor level or above.
• Manually audit and clean any posts or pages containing the `[myqtip]` shortcode with suspicious or malicious content in the `title` attribute.
• Implement or enhance web application firewall (WAF) rules to detect and block attempts to inject or execute malicious scripts via the shortcode.

Useful 0 Not Useful 0