WordPress Plugin Vulnerabilities

Super Socializer < 7.13.64 - Editor+ Stored XSS

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

When creating a new widget, insert the following payload in the "FaceBook URL" field - 40"asdasd=''<script>alert(10)</script>;"

Affects Plugins

Plugin icon
super-socializer
Fixed in 7.13.64

References

CVE
CVE-2024-2836

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
36f95b19-af74-4c56-9848-8ff270af4723

Timeline

Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)

Other

Published
Title
Published
2014-08-01
Title
Social Connect 0.10.1 - diagnostics/test.php testing Parameter Reflected XSS
Published
2023-05-09
Title
WP Responsive Tabs horizontal vertical and accordion Tabs < 1.1.16 - Reflected XSS
Published
2021-07-01
Title
WP Google Map < 1.7.7 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2023-10-09
Title
GEO my WordPress < 4.0.1 - Contributor+ Stored XSS
Published
2021-12-27
Title
myCred < 2.4 - Reflected Cross-Site Scripting