WPTouch [Unauthenticated Stored XSS]


This vulnerability relies on the process_desktop_shortcodes option being enabled. It appears this is only visible in the UI in the pro version, but the underlying code exists in the free version. For mobile users, this feature will render the DOM and send the result HTML content back to the server to be cached. No filtering/validation is done on it, and the HTML is cached for 24 hours. An attacker can inject any script tags to this HTML to XSS another mobile user.