Stored XSS in Plotly allows less privileged users to insert arbitrary JavaScript into posts


Last revised:

This plugin allows users who do not have the unfiltered_html capability to insert JavaScript into posts/pages which gets executed by the browsers of other users.

On single sites, only Administrators have the unfiltered_html capability, and on multisite, only Super Admins have this capability. This means that e.g. malicious Admins on a multisite, or malicious Editors would be able to perform XSS attacks against other site users and visitors.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.5 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  1. Create a new post as a user (without the unfiltered_html capability)
  2. Switch to text mode
  3. Place this link on a line by itself:’onerror=’alert(1)’>
  4. View the post

Advisory timeline

  • 2015-06-04: Discovered
  • 2015-07-09: Reported to vendor via the contact form on the Plotly Enterprise site
  • 2015-07-09: Requested CVE
  • 2015-07-10: Vendor responded and confirmed fixed in 1.0.3
  • 2015-07-13: Published

Mitigation/further actions

Upgrade to version 1.0.3 or later.

N.B. If all accounts are trusted, or all accounts have the unfiltered_html capability, then there is no issue.