More than 100 plugins impacted by the same basic cross-site scripting vulnerability in shortcodes.
Wordfence-Logo.png (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzF3prCCW6N1vHY6lZ3nHV58bbD3vBHBvW1PBSPK7nFn0fW4lFYyZ86JP8rW8jmSlh7RMxP_W2ny4nP13VDp2W3sT5Gc1P4Ch2W1Gqqd62xD-c5N1cK8T8TYsVLW8ctvck4hD970W3SgR-h12hPFFW2cD_Mn6zwPRjW3jWXGv2FC0NZW6sgvzj4rTCxNW88YKwt4DbD49W2JbS3m3zV5dRVDBh_22lTcZjW4nwCs67HgLYRW75NQBW5nFQGvW1YFW2b1M3FvcW44Y-5S5B59WcW89tPGs25jQd9W6ygH2X3cbYwWf1FH2hT04 )
FeaturedImage_Wordfence_61.02 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
A previous version of this email was sent with an incorrect title. This has been corrected at this time.
đ Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3mrW2Z5Q3v6-Gj8CVlsLMD93sQfGW5B5PFs7G9Rz1W6LSFQs8hv0PZW1pSFzN4cHjBHW5p7jjb79h1ttW526LXc6p8C3DW3ts7n17L8L_BW61n_xg4wzRK_W8yrmkW4W-QYgW6Psylt1zq8tSW37s78963gpk8W7pTmcs77yW5LW5zgVg19kw2j7W2t47bf4rnMwMVp8scQ4dgj2BW4vdjft1KFDvZW7Zfvb-49Sy2KW4rpWDN5ysY8PW5LWvKg3cv93LW6Dp8lW6p5NM8W5sWms01tnrZNW49XkYF5W6g_-W8ykjNp8ldF86W7Tc4KW45LPgWW8JpWpH1jG-QKf4z_fMH04 ) and submit your vulnerabilities (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3n8W2TB8l62M43CkN47QyQqgWzGkW6PCYj25P-8-2W18LN7010T5B-W2pptN45VcNY3N3YNGHHXBPgJN16ChS1v3Fy7W99jyV370-x7CW9l4NCk2RVj7kVfWNRY65Th8_N52x7wZ3_262W3Nx5c66vTgYJW7CM7Xd504R_tW6mVd5P1SJ-vWW6zJ-0M5hKTZGW1dsZ9y40HrQ-W5tD7mS2zVG37W6F0v2F37R210W702m9r3pXCgRW6ljh9m1p__qTW1PfMC13RbFvyW2MLXVB42rgjxW5phg706W_GtCW1F3gyx6yVf0CW4cm07j5D5xQQW5SJpDd5rQkHlf76PL8H04 ) today! đ
On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using plugin shortcodes, which will execute whenever a victim accesses the injected page. We found over 100 vulnerabilities across 100 plugins which affect over 6 million sites. You can find the complete chart of affected plugins below.
All Wordfence Premium (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3lvW1m0lRk7l12zVN7mS53_y6pgkW8C9r2n8pSR3JW626FSN6VWjnxW4q0mJf1b7QdHW5z4vfC1pdr5PVTGQxp3z-R82W5ymwM54x2fr7W6PqG-T428JtbVpYH4V4YbwW8N6Hf7n1t4SnrW6vBsZW4fzQS3W2-QNQG4D20kCW18XtwT3w7nrgW4Hxvrk3vxqS5W3mnshH4-ykMJVrTbYq5XD2GBW8BskmC8XZhNmVnZL2J6L6vnHW5r73Md7qd2vpW8Mx4m785MnnXVxYxMk4J8cR-W3fD86m98w15yW89688K2S8LR5N6JKnhYDx2mMW4yD8DR5zsdfjdSBbcg04 ) , Wordfence Care (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3pMW2JjK7V8l_6NGW2FVLng8WVWxhW3hLbSc8xNG2-W8BzN796BS3wzW7JSc3K6ZVSydW6q5kgr5ZYdlhW6NZbjl6NxwwDW3FqG472ND--DW4BfYwl5G6GJRW5cZJp687qNdYW1pcqxt3jfpw8W3Q45SP6Mz8pXW2Pn4cZ8-RY6PN4WPyMD9JvHwVndswh20NcMhW3jtH1L3DCNYrW8T31Sd5X11DQW8tMJZW4tlcv_N51RHh65w-tbW760Jk88QGRTWW7h6_DT4qFb2CW8L5rGm4QXhw1W25mWyk4gjCCBW8Lt-TV9198HpW8WfVtl8cH3VtN4TxPD02st51f2NPqmK04 ) , and Wordfence Response (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3kJW2pQfXF7bRKdpVQ31q98JHXX4W5y4lgK7ynT0dVqlvR-8n47f-W28Jvxl4QWNRWW6jvsSZ1W9bL9W56zN_j8GjptNW5g8Pvr2fQqSjV3Tlt41SPrmnW51ZjYr6xhsshW6nHr3y72GM5nW84xfxT39tnJMW70RJWm8GZbx8W8Z3j266P3Zf5W6M36cR3CbVbsW4JbNg98ZTKVXW8SXLrL1jyxbDW7j_slF7y7zLyVrvHT75qq7SnW5j99T-3cl02CW5Cpqd03C9MZbW35fPZ16pnlDsW5FXDs-1SZbC4W71v-dM3CNbrvW7ql2tL4CyLvjW4H_X5M6Q6pvFf5sf_Hx04 ) customers, as well as those still using the free version of our plugin, are protected by the Wordfence firewallâs built-in Cross-Site Scripting protection against any exploits targeting this type of vulnerability.
CONTINUE READING ON THE BLOG
(
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
Why are these vulnerabilities so common?
By a general definition, shortcodes are unique macro codes added by plugin developers to dynamically and automatically generate content. Developers can use shortcode attributes to optionally add settings, making the content even more dynamic and providing more options for users.
It is important to note that shortcodes are typically used in the post content on WordPress sites, and the post content input is sanitized before being saved to the database, which is a WordPress core functionality, so it is often sanitized in all cases.
Developers might assume that since WordPress core sanitizes post content, the attributes used in shortcodes are also sanitized and secure. However, the wp_kses_post() sanitization function only sanitizes complete HTML elements.
These vulnerabilities occur when the value provided in the shortcode attribute is output in dynamically generated content within the attributes of an HTML element. In such cases, the value specified in the shortcode contains only HTML element attributes, which are not sanitized during the save of a post. As mentioned earlier, the sanitize function only sanitizes complete HTML tags.
An example shortcode containing an HTML tag sanitized by the wp_kses_post() function:
[custom_link class="<p onmouseover='alert(/XSS/)'>Click Here!</p>"]
In this case, wp_kses_post() checks and sanitizes the entire <p> tag and its attributes.
An example shortcode not sanitized by the wp_kses_post() function:
[cutsom_link class="' onmouseover='alert(/XSS/)']
As there is no HTML tag in this case, the wp_kses_post() function does not check or sanitize anything.
Note: The above explanation demonstrates the usage of cross-site scripting within HTML attributes as it is the most common scenario, but the same problem applies to JS variable values, which will be equally vulnerable if not properly escaped.
Even the WordPress security handbook says the following about escaping output:
âMost WordPress functions properly prepare the data for output, and additional escaping is not needed.â
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3kTW5vtJ1q7bLHjNW4lb-Vx19BvSlW130yps8vHZwCW1VGgHw3_xFpYW57Mdsv7Y_jQLW2N-rkR6DGmMPW3C0YNG63ppG7N9kJFtFx8H-zN6zcJRZlQjn6F50FbClKgLdW8Dy5bS6sZs1_W8354z63ddLKfW5DxYWs1F9c3dW36wJ1W85WvVlW8JSpf72R9CZ5W82bgYs6wzwt9W5Rtt4w2MlsQkW80g6pZ8N3f34W6dWC2Z64QYzBW6gFT_P5ZkRxHW2kz5m880Rqn-W4yYm9L3wNGm1N75-Q--T27kMW9hjHy-88THlfW8L5fnP38LgskW7KCkbR992hgDf4Qs3Rx04 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3kTW5vtJ1q7bLHjNW4lb-Vx19BvSlW130yps8vHZwCW1VGgHw3_xFpYW57Mdsv7Y_jQLW2N-rkR6DGmMPW3C0YNG63ppG7N9kJFtFx8H-zN6zcJRZlQjn6F50FbClKgLdW8Dy5bS6sZs1_W8354z63ddLKfW5DxYWs1F9c3dW36wJ1W85WvVlW8JSpf72R9CZ5W82bgYs6wzwt9W5Rtt4w2MlsQkW80g6pZ8N3f34W6dWC2Z64QYzBW6gFT_P5ZkRxHW2kz5m880Rqn-W4yYm9L3wNGm1N75-Q--T27kMW9hjHy-88THlfW8L5fnP38LgskW7KCkbR992hgDf4Qs3Rx04 )
After reading this, developers might reasonably assume that the shortcode attributes are sanitized and secure. However, as demonstrated in the above example, there are exceptions.
Vulnerability Summary from Wordfence Intelligence
VIEW IMPACTED PLUGINS ON THE BLOG
(
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
Security recommendations for developers
We recommend using one of the built-in WordPress escaping functions before outputting user data. WordPress has a number of functions that can be used for different situations. You can read more about these functions at:
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3kTW5vtJ1q7bLHjNW4lb-Vx19BvSlW130yps8vHZwCW1VGgHw3_xFpYW57Mdsv7Y_jQLW2N-rkR6DGmMPW3C0YNG63ppG7N9kJFtFx8H-zN6zcJRZlQjn6F50FbClKgLdW8Dy5bS6sZs1_W8354z63ddLKfW5DxYWs1F9c3dW36wJ1W85WvVlW8JSpf72R9CZ5W82bgYs6wzwt9W5Rtt4w2MlsQkW80g6pZ8N3f34W6dWC2Z64QYzBW6gFT_P5ZkRxHW2kz5m880Rqn-W4yYm9L3wNGm1N75-Q--T27kMW9hjHy-88THlfW8L5fnP38LgskW7KCkbR992hgDf4Qs3Rx04 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3kTW5vtJ1q7bLHjNW4lb-Vx19BvSlW130yps8vHZwCW1VGgHw3_xFpYW57Mdsv7Y_jQLW2N-rkR6DGmMPW3C0YNG63ppG7N9kJFtFx8H-zN6zcJRZlQjn6F50FbClKgLdW8Dy5bS6sZs1_W8354z63ddLKfW5DxYWs1F9c3dW36wJ1W85WvVlW8JSpf72R9CZ5W82bgYs6wzwt9W5Rtt4w2MlsQkW80g6pZ8N3f34W6dWC2Z64QYzBW6gFT_P5ZkRxHW2kz5m880Rqn-W4yYm9L3wNGm1N75-Q--T27kMW9hjHy-88THlfW8L5fnP38LgskW7KCkbR992hgDf4Qs3Rx04 )
Technical Analysis #1
A general but fictional shortcode will be used to demonstrate a shortcode XSS vulnerability, focusing only on the most important details.
Letâs take an example where shortcode attributes are used as HTML attributes.
The vulnerable shortcode function:
ray-so-export (16) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
Letâs take a look at an example where the following shortcode is used in the post content:
[custom_link class='my-custom-class']Link Text[/custom_link]
As a result, the following link will be displayed in the post:
ray-so-export (17) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
In this case, the class attribute of the shortcode is used and outputted in the class attribute of the <a> HTML tag.
The Exploit
Now, letâs take a look at a threat actor that wants to inject malicious web scripts into a post using the pluginâs shortcode. To accomplish this, the attacker needs to leave the specified HTML attribute, which in the example is the âclassâ attribute and add an additional malicious HTML attribute after.
Hereâs an exploit example:
[custom_link class='" onmouseover="alert(/XSS/)']Link Text[/custom_link]
With the payload above, the following link will be displayed in the post:
ray-so-export (18) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
The first double quotation mark provided in the shortcodeâs âclassâ attribute closes the âclassâ HTML attribute within the <a> tag. After that the âonmouseoverâ HTML attribute containing a malicious script is added to the <a> tag. This means that whenever a user mouses over the rendered shortcode, a prompt with âXSSâ would appear on the screen.
The Solution
To make the shortcode secure, escape functions must be used. This prevents user-defined input from leaving the original âclassâ HTML attribute as any quotes used to leave the HTML attribute will be escaped.
Letâs make the example shortcode code secure:
ray-so-export (19) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
The âclassâ data is an attribute, so it is recommended to use the esc_attr() function there.
The âhrefâ data is a url, which is an attribute that has more specific requirements, so it is recommended to use the esc_url() function there.
The above two functions make the shortcode completely secure against Cross-Site Scripting.
If the attacker tries to add a malicious shortcode using the patched functionality, it will result in the following link, which no longer contains executable JavaScript:
ray-so-export (20) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
Technical Analysis #2
Next, letâs look at an example where shortcode attributes are used as JS variable values.
The vulnerable shortcode function assigns shortcode attributes to JS variables:
ray-so-export (21) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
Hereâs an example where the following shortcode is used in the post content:
[custom_js_color_variable color='blue']
As a result, the following script with a variable setting for âcolorâ will be displayed in the post:
ray-so-export (22) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
The Exploit
Now, weâll try to exploit the shortcode:
[custom_js_color_variable color='"; alert(/XSS/); let more="']
As a result, the following script will be displayed in the post:
ray-so-export (23) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
The Solution
Letâs make the example shortcode code secure:
ray-so-export (24) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
The âcolorâ data is a JS variable, so it is recommended to use the esc_js() function.
The following script will be displayed in the post if the attacker tries using the same malicious shortcode:
ray-so-export (25) (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzl5m_5PW69t95C6lZ3lTW1W35896TscbbW2N2T0s2pk7xRN66jSkl52vgGW29wy4y5zF_kLW8dK_bQ6Zh5qnV18kyH5y-7tZW4q2CCQ7GpDPQN82fLdQQJ1BJW6NJBFx7fQnp6W1f6_0d4j0y1QW16Bc798vsc-XW4NG5tn17fFvcW4GpQjP4s3D2RW7s9dkP3_3WzlW7x3N1X8-rc2VW7GKY6v3DbgWNVtL9Rk1PGhxHW7f-MkD5kKG18W5sRpMK4M22CjW7h5wtl2Y_sM3W3XbSjd5vlKFZW2RT6Q43lg69zW6V25Fv7xflgfW7Xs7xV2WL-k_W1kBL8K4l1SwgW4LxDFy4K-1gWW6wvng91Q0CLKW84g7l-4w1wk2W3VQgGf6K4t5kW2mXNdx86xfg0W4V-L4L6dp_xjW7H-W5h6XSW3ZV1J6vj3mB-w5W6JdG9C36LBwvW4QsP6j1_KmDxW8dNv372_7FJTf6WvK6-04 )
Conclusion
In this blog post, we have detailed Stored Shortcode-Based XSS vulnerabilities within several WordPress repository plugins. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. As with all XSS vulnerabilities, a malicious payload could be used to perform actions as an administrator, including adding new malicious administrator users to the site and embedding backdoors in plugin and theme files, as well as redirecting users to malicious sites.
We encourage WordPress users to verify that their sites are updated to the latest patched version of each impacted plugin. For unpatched plugins that have been closed by the WordPress.org security team, we recommend that WordPress users delete the affected plugin and look for an alternative solution.
All Wordfence users, including those running Wordfence Premium (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3lvW1m0lRk7l12zVN7mS53_y6pgkW8C9r2n8pSR3JW626FSN6VWjnxW4q0mJf1b7QdHW5z4vfC1pdr5PVTGQxp3z-R82W5ymwM54x2fr7W6PqG-T428JtbVpYH4V4YbwW8N6Hf7n1t4SnrW6vBsZW4fzQS3W2-QNQG4D20kCW18XtwT3w7nrgW4Hxvrk3vxqS5W3mnshH4-ykMJVrTbYq5XD2GBW8BskmC8XZhNmVnZL2J6L6vnHW5r73Md7qd2vpW8Mx4m785MnnXVxYxMk4J8cR-W3fD86m98w15yW89688K2S8LR5N6JKnhYDx2mMW4yD8DR5zsdfjdSBbcg04 ) , Wordfence Care (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3pMW2JjK7V8l_6NGW2FVLng8WVWxhW3hLbSc8xNG2-W8BzN796BS3wzW7JSc3K6ZVSydW6q5kgr5ZYdlhW6NZbjl6NxwwDW3FqG472ND--DW4BfYwl5G6GJRW5cZJp687qNdYW1pcqxt3jfpw8W3Q45SP6Mz8pXW2Pn4cZ8-RY6PN4WPyMD9JvHwVndswh20NcMhW3jtH1L3DCNYrW8T31Sd5X11DQW8tMJZW4tlcv_N51RHh65w-tbW760Jk88QGRTWW7h6_DT4qFb2CW8L5rGm4QXhw1W25mWyk4gjCCBW8Lt-TV9198HpW8WfVtl8cH3VtN4TxPD02st51f2NPqmK04 ) , and Wordfence Response (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3kJW2pQfXF7bRKdpVQ31q98JHXX4W5y4lgK7ynT0dVqlvR-8n47f-W28Jvxl4QWNRWW6jvsSZ1W9bL9W56zN_j8GjptNW5g8Pvr2fQqSjV3Tlt41SPrmnW51ZjYr6xhsshW6nHr3y72GM5nW84xfxT39tnJMW70RJWm8GZbx8W8Z3j266P3Zf5W6M36cR3CbVbsW4JbNg98ZTKVXW8SXLrL1jyxbDW7j_slF7y7zLyVrvHT75qq7SnW5j99T-3cl02CW5Cpqd03C9MZbW35fPZ16pnlDsW5FXDs-1SZbC4W71v-dM3CNbrvW7ql2tL4CyLvjW4H_X5M6Q6pvFf5sf_Hx04 ) , as well as sites still running the free version of Wordfence, are fully protected against this type of vulnerability.
If you know someone who uses any of these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this type of vulnerability poses a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
Did you know that Wordfence has a Bug Bounty Program (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3q0W8z876W1ycJcFVK1CJj13DBcBW7-L28881wWxhW3fRz8j8VDlV3W2bxgz64sHbPqW6xZ3Ww5YwwKLW5stmC82fqpWBW5rNS5c5B6mgZVWB_4l5hC0X0W2Dz9yd4lmCcMW4Tz79V71bkQRW8__8896nWxMKW699p907DH-K-W3TmP7t2hlrs3W7gnTks33SjCpW8p0xPV2Nw1YqW3LRMqm6Wbm8rW8LJm9p82nnmrVRm41r5QT58LN3ztqJXDbk-_W25DlSG4D-M6sW4c5jXL7c2P6lMt099jd1B2TW2LWHPn6sVKtDW2tkW6-9lQpXmTn2mp71Wv8zf5xYvpv04 ) ? Weâve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If youâre an aspiring or current vulnerability researcher, click here to sign up. (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3mrW2Z5Q3v6-Gj8CVlsLMD93sQfGW5B5PFs7G9Rz1W6LSFQs8hv0PZW1pSFzN4cHjBHW5p7jjb79h1ttW526LXc6p8C3DW3ts7n17L8L_BW61n_xg4wzRK_W8yrmkW4W-QYgW6Psylt1zq8tSW37s78963gpk8W7pTmcs77yW5LW5zgVg19kw2j7W2t47bf4rnMwMVp8scQ4dgj2BW4vdjft1KFDvZW7Zfvb-49Sy2KW4rpWDN5ysY8PW5LWvKg3cv93LW6Dp8lW6p5NM8W5sWms01tnrZNW49XkYF5W6g_-W8ykjNp8ldF86W7Tc4KW45LPgWW8JpWpH1jG-QKf4z_fMH04 )
The Full Product Lineup
wf-stacked-free-1 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3m1W3YNytq6W73SLW3VxzDm6DSj5xW7MthGF2BCjczN4_5n9xj9SH1VlCsjs8q-HgRW8lBJ2f60K8PzW22ltNw3wSB5ZW5Qr8LL753WdvW4rQM2k4RlnjtW8r9jp61KN-WnW1c6rbP7Tls4gW2HXHk58HPPrHW42Yzqd2JV3kvVNyzjt6hsWYcW6Tn4vF3Wc0hbW6g2F436XzxHZW93nrJQ2QVCF6W5KJrts5d_TTPVzwPJk4MstJ-W6Sn80Q63HtxbW685Q974ByYbDW2VLpnp1VQ0Z6W3r2n6s1cz-6BW6z7mQ17d348ZW8XgF235y0SgmW4cqKGY5r8l35f4ZGzhK04 )
wf-stacked-premium-1 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3l0Tf9H642HqsFW5Y8Mdb5NY8CXW8HxzxQ28nvvdW327mZk7g0N42N3m3nCHVxQv8W2jkTYb3cl1nDW4k_M473Z1xgbW6GvVb-3M9tM8W24DLt82WmCghW7g4gCy4DT8BBW8R28DZ5YMVjqW6VHWYs7B_vF8W8N7t2P8zQ1DmW8-xmBM456k4NVkWBhb2qhK3_W4x1vXn8dxcVqW99nsjY6gQjl6W964lsr5JtjWnW3tcC3f4bSPzHW6JvZPJ4P9WhxVj6Wrr4Js1J-W4pl8Rg4j5Wg0W2C9QY37TCbzdW74hWVZ2h_W_NW4Lyt-W3CDRYKW8Dc3Yl7MJsRLf4BvbQK04 )
wf-stacked-care-3 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3pHW2QcrW26cd3wqW3Wf3gW3H3GYfW2mMnKQ2BCxWmW8syvpv1qmfjTW4Klklj1yMH5GVc_mx54-CFZqV1KnRx7mTT9GW2nrP3k43HrwCW850F1d3049RWW2r0k_N95yTCYW8kFtRL91sxdgW5c1SsZ8c71mQW3PhZY376hBHzW2N5DnB95JZtzW4CQNYr5Vjrq2W3dC6Rq4-3V4pM61GND9KPjZW3nZB8R2PR2x2W7-DHGw1w3FvYW7M7Wvw7Xy2J0VLRkSH6RgYLDW55z2Fx5fsV4VW4pmS8s7NbnCxW4pV6ml8PR-xvW4lt5d_5dK9hHW29mgzr8SR58xdZ016M04 )
wf-stacked-response-2 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3kJW2pQfXF7bRKdpVQ31q98JHXX4W5y4lgK7ynT0dVqlvR-8n47f-W28Jvxl4QWNRWW6jvsSZ1W9bL9W56zN_j8GjptNW5g8Pvr2fQqSjV3Tlt41SPrmnW51ZjYr6xhsshW6nHr3y72GM5nW84xfxT39tnJMW70RJWm8GZbx8W8Z3j266P3Zf5W6M36cR3CbVbsW4JbNg98ZTKVXW8SXLrL1jyxbDW7j_slF7y7zLyVrvHT75qq7SnW5j99T-3cl02CW5Cpqd03C9MZbW35fPZ16pnlDsW5FXDs-1SZbC4W71v-dM3CNbrvW7ql2tL4CyLvjW4H_X5M6Q6pvFf5sf_Hx04 )
wf-stacked-cli (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvBd3prCCW7Y8-PT6lZ3nLW22g8kW87rRqMW3KQ_X35kybf0W8VJTQF3xynVHW2qKy825WM5tHW6wGGjf3m0vPJW2gmMkr6BbzS5N3WTRycg4CD4W3nT-LW4bjk5PW2QxFVZ1MxQ_RW1yT_1b1SPLPGW30XhM58xYMCcW8xJ2Ln2zbwDbMSDxPybF3cXN93XFlMCX3mlW5QXPj36Fxp27N99K8yNmRLc9N90K7r2894z8W3h0FKT93921xW3q_nnF3C0rp_W3x9n9Q67Sl6kW8Qph5z6yybvGN5VmH9bnwgsJW8cJTRM4701QcW3sd3KF8_19VsW6QXZcB4BRQ0ZW8TZc5H3ys6TJf28X39q04 )
wf-stacked-intelligence (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzY3prCCW7lCdLW6lZ3mjW98ldJx2NH9JwW6YgF6920q4JlW2qnkfh7j8pM-W1TT_mf4shL-RW2rWtpK7lCdKJW42T7jR2bxpSHW83nWnq8PwVn0V9jjpq87RCn-W5LxYDw4BZKw6W5kLhX64Fm5_-W3tSlJK4lt8S1N4nMsJk2nBGNW3ZDVT31KSg19W1WJv2R38kZpNW5zZNnZ72RX38W401lV11Cv3-RW2sB1nZ6NcMZMN1Z0JLkFGPP4W8ybjX86WRFcCV2zkkW2PH_VWW66phb_7W_yZ-W7TQlz94rM_3wN4HygZQ4-KZFW4JZL-b1MYKvcf1vXHRj04 )
logo-defiant (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzF3prCCW6N1vHY6lZ3nKW4RJ1r_3DrKj2W8wmBth6cD2lfW7Q-7lG3wRzyFW15nkfb27TnNKW48cGCQ15zsy7W5R47tk4DRl-nW2hh21L1CF9ztVmZ3Wf4dgjQSW6lpkxK1CFbymW8q-yB94Pc_6FVVyTX92_2bBYW8LctGb6LgWVBW4Dvmq13LPSMWW6FwzfW2Zc2tTW13Y55d4DVY4gW4QJFwg2Tz2pPW51Pqqn94zlk2W4wrcf29dMFtlW50zXX872bC5SW7VXMZ83h_qsBMQx_7TVL-0_W4X5XqV5lrFyxf3dbQ1T04 )
Defiant, Inc., 1700 Westlake Ave N STE 200
Seattle, WA 98109 United States
Unsubscribe (
https://email.wordfence.com/hs/manage-preferences/unsubscribe-all?languagePreference=en&d=Vn9bTK892TtnVsxx1M3JN_XyW41Rcn-4h29fmN6J4V3XmWFfLW5G3pGk5TVRzhV25tD-4M69Y7N5G0YtGWYLZTN96R68PXk_7QMbwd3JBFDK1W7vMs431t0pB-w1gFZvY1Qt2&v=3&_hsenc=p2ANqtz--5TNkHKf-BeacYwbNvHJIvFsIG4ZWcyQksQvd3iPJil00sC0ZGpz656UZDJj5orAMI1lTB9Tu5qfeCkDFMqXd9aTsz7g&_hsmi=286209999 ) Manage Preferences (
https://email.wordfence.com/hs/manage-preferences/unsubscribe?languagePreference=en&d=Vn9bTK892TtnVsxx1M3JN_XyW41Rcn-4h29fmN6J4V3XmWFfLW5G3pGk5TVRzhV25tD-4M69Y7N5G0YtGWYLZTN96R68PXk_7QMbwd3JBFDK1W7vMs431t0pB-w1gFZvY1Qt2&v=3&_hsenc=p2ANqtz--5TNkHKf-BeacYwbNvHJIvFsIG4ZWcyQksQvd3iPJil00sC0ZGpz656UZDJj5orAMI1lTB9Tu5qfeCkDFMqXd9aTsz7g&_hsmi=286209999 )
ISO_27001 (
https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VX4RNG2hN74LN1nsfGmhLLn1W3pvQRf56-6q2N2QYvzF3prCCW6N1vHY6lZ3p4W27X83Q7vC94-W24xbrG5dP_SBW9hmj5012c-xRW2fk5Sc3J8b7HW9gyjrS2jH7sjW3676H9845tfzW297t0R6QpNyXVLgTZp76D1DgW1xlb937KNvs3W1YP4CP7WZCgrW3sWfT14g8d2JW4l3nn45BzxYqW6zH0q871N1m5W80d1GX983SX3W3PZtz-77F5wcW7MPBG25_-ZCZW1lqtMm3s9LWKMNQKFqdWX7qVTmBfm6cs2J1W7NjLjG3tncVQW4psNGh8gpJ_BN8jfBvnDFh4Kf72pH1204 )
You're receiving this email because you signed up to the Wordfence WordPress security mailing list.
Received on Tue Dec 12 2023 - 19:24:44 CET