Spotlight Social Feeds < 1.4.3 – Contributor+ Stored XSS | CVE 2023-0379 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

Exploit Additional CSS class(es) for "Spotlight Instagram Feed" Gutenberg block:
" onmouseover="alert(1)" style="background:red;"

Note: First, you need to add a Feed with an Instagram account connection.

Affects Plugins

spotlight-social-photo-feeds

Fixed in 1.4.3

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

14b4f0c5-c7b1-4ac4-8c9c-f8c35ca5de4a

Timeline

Publicly Published

2023-01-23 (about 1 years ago)

Added

2023-01-23 (about 1 years ago)

Last Updated

2023-01-23 (about 1 years ago)

Other

Published

Title

Published

2023-09-25

Title

Booking Calendar < 9.7.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

Published

2014-10-17

Title

Easy Contact Form Solution 1.0-1.6 - Stored Cross-Site Scripting (XSS)

Published

2021-09-09

Title

RSVPMaker Excel <= 1.1 - Reflected Cross-Site Scripting

Published

2014-08-01

Title

Subscribe To Comments Reloaded 140204 - options/index.php manager_page Parameter Stored XSS Weakness

Published

2022-08-01

Title

Social Slider Feed < 2.0.5 - Reflected Cross-Site Scripting