It is possible to request pages that will run the attackers choice of WordPress short code and display any content of the attackers choosing. This allows the attacker to view extremely sensitive data, to create content, to access forms that have been disabled and to greatly aid the exploitation of other plugins.

This can also be exploited to perform simple cross site scripting attacks (XSS) by injecting html onto pages, if a user can be tricked into following a link constructed by the attacker. This could be used e.g. to damage the reputation of the site or another entity, or to trick the user into installing malicious software

Citizen Space looks at all urls requested on the site to see if they contain “cs_consultation” anywhere in the url including in the parameters. It then looks for the parameter path in the url, if it is found it appends into post_content with out sanitising it

$post->post_content= '[citizenspace_consultation url="'.$_GET['path'].'"]';

This means that the citizenspace_consultation shortcode can be broken out off by adding square brackets (]). This works because the spec for shortcodes in WordPress is strict and says there can not be any closing square brackets inside a shortcode. Any content that is placed in the path parameter after the square bracket will be searched for short codes and if they are found they are executed. HTML will also be rendered and javascript will be executed.

Current state: Reported