CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Structured Content plugin for WordPress up to version 1.6.4 allows authenticated contributors and above to inject arbitrary JavaScript via the sc_fs_local_business shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially enabling account compromise, malware distribution, or defacement. No public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
The vulnerability exists in the sc_fs_local_business shortcode implementation within the Structured Content WordPress plugin. The plugin fails to properly sanitize user-supplied shortcode attributes before storing them in the database and fails to escape output when rendering those attributes in HTML templates. This is a classic Stored XSS vulnerability (CWE-79) where attacker-controlled input flows directly into page content without sanitization or contextual escaping. WordPress plugins must use wp_kses_post() or equivalent sanitization functions at input time and wp_kses_post()/esc_html()/esc_attr() at output time depending on context. The vulnerable code resides in the shortcode processing logic (class-structuredcontent.php line 188) and the local-business template rendering (templates/shortcodes/local-business.php). The attack surface is limited to authenticated users with contributor-level permissions or above, but the impact is site-wide once the malicious shortcode is published.
Affected ProductsAI
The Structured Content WordPress plugin (CPE data not provided in input) in all versions up to and including 1.6.4 is affected. The plugin is hosted on the official WordPress plugin repository at wordpress.org/plugins/structured-content/. Installations running version 1.6.4 or earlier with the sc_fs_local_business shortcode enabled are vulnerable. WordPress administrator or site owner accounts that have not updated the plugin are at risk of contributor account exploitation.
RemediationAI
Update the Structured Content plugin to the patched version released in changeset 3334624 (version 1.6.5 or later if tagged; refer to https://plugins.trac.wordpress.org/changeset/3334624/ for specific version details). The patch addresses insufficient input sanitization and output escaping in the sc_fs_local_business shortcode by implementing proper WordPress sanitization (wp_kses_post() or wp_kses_allowed_html()) at input time and contextual escaping functions at template output. WordPress site administrators should immediately update via the Plugins dashboard or manually from the official plugin repository at https://wordpress.org/plugins/structured-content/#developers. As an interim workaround pending patch deployment, restrict contributor-level access to trusted users only, consider using role management plugins to disable the sc_fs_local_business shortcode for untrusted roles, and audit existing published content for suspicious shortcode usage. Monitor Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/c8c60701-37f0-4404-b965-9136ac456e38) for exploitation reports.
Share
External POC / Exploit Code
Leaving vuln.today