Ultimate Instagram Feed <= 1.3.1 – Authenticated Cross-Site Scripting (XSS)

Description

In regards to https://wpvulndb.com/vulnerabilities/8947, the XSS vulnerability remains in 1.3 and 1.3.1 as the author passes _GET['access_token'] to sanitize_text_field(). However, the value is inserted into an attribute of an element, and sanitize_text_field() does not filter for quotes (single or double). Therefore, injecting %22+onblur%3D%22alert%281%29 for access_token will still result in an exploitable injection. I have reached out to the author but have not received a response yet. I've also contracted the plugin team at WordPress.org

Proof of Concept

While logged in
http://yoursite.com/wp-admin/admin.php?page=ultimate-instagram-feed.php&access_token=%22+onblur%3D%22alert%281%29

Affects Plugins

ultimate-instagram-feed

No known fix

References

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Submitter

Gilzow

Submitter website

http://missouri.edu

Submitter twitter

gilzow

Verified

WPVDB ID

5c4286d6-2b64-47e1-806e-b1c142ca00d6

Timeline

Publicly Published

2017-11-10 (about 8 years ago)

Added

2017-11-12 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2022-01-06

Title

WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs

Published

2026-01-16

Title

CM E-Mail Blacklist < 1.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter

Published

2024-11-19

Title

Sugar Calendar (Lite) < 3.4.0 - Reflected Cross-Site Scripting

Published

2025-10-22

Title

Posts By Tag <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-20

Title

Dynamic "To Top" 3.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting