Metamorfosec Security Advisory METS-2019-004 A cross-site scripting (XSS) in Parallax Scroll plugin before v2.1 for WordPress FIRST PUBLISHED: February 16, 2019 VERSION: 1.0 VENDOR: Adam Robinson PRODUCT: Parallax Scroll VERSION AFFECTED: before v2.1 CVE-ID: CVE-2019-7413 PRODUCT DESCRIPTION: (from Official Website: https://adamrob.co.uk/parallax-scroll/) Parallax Scroll is a simple WordPress plugin that allows you to create scrolling parallax backgrounds to elements on your WordPress Site. FINDING: In the Parallax Scroll (aka adamrob-parallax-scroll) plugin before 2.1 for WordPress, includes/adamrob-parralax-shortcode.php allows XSS via the title text. ("parallax" has a spelling change within the PHP filename.) PROOF OF CONCEPT: 1. Login to WP-Admin 2. Install Parallax Scroll Plugin (tested in v2.0) 3. Go to Parallax Scroll Tab, then click Add New Button to create a new post 4. In the Title Field, please enter the payload, e.g. "> 5. Add images via Add Media and Set Featured Image 6. After that, click Publish 7. Go to Parallax Scroll Tab, then copy the Shortcode 8. Create a new Wordpress post with the Shortcode 9. Visit the site to trigger the alert MITIGATION: Update to v2.1 or newer ADVISORY TIMELINE: Jan 15, 2019 - First contact to developer Feb 4, 2019 - Developer responded and informed that Parallax Scroll plugin v2.1 released to resolve this issue Feb 5, 2019 - Requested a CVE-ID Feb 6, 2019 - Received CVE-ID (CVE-2019-7413) Feb 16, 2019 - Published this advisory (v1.0) REVISION HISTORY: Version 1.0 (Feb 16, 2019) - First release REFERENCES: https://plugins.trac.wordpress.org/changeset/2024194/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7413 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.