Ultimate Instagram Feed <= 1.3 - Authenticated Cross-Site Scripting (XSS)

Description

Author: OmarK <http://omark.me/>

The vulnerability lies in the "*access_token*" parameter and can cause
reflected *XSS* vulnerability.

The issue is on the file
*ultimate-instagram-feed/admin/partials/uif-access-token-display.php* line
19:

<input id='uif_access_token' type="text" class="regular-text"
name="uif_access_token" value="<?php if(get_option('uif_access_token')){echo
get_option('uif_access_token');}elseif(isset($_GET['access_token'])){*echo
$_GET['access_token'];*} ?>">

the vulnerable code is the following:
*echo $_GET['access_token'];*

There is an echo of the variable "access_token", which can be controlled by
the user. This leads to reflected XSS vulnerability.

A logged in Administrator, who will click on the specially crafted link, he will
introduced with a video as presented in the attached PoC picture. When he
will click the video, the JavaScript code (an alert box for this poc) will
be executed.

I used this kind of payload in order to bypass the Chrome XSS Auditor. The
vulnerability has been tested against:

- Ultimate Instagram Feed Version: 1.2
- WordPress 4.8.3 running Twenty Seventeen theme.
- Chrome Version 61.0.3163.100 (Official Build) (64-bit)

*Timeline*:

31 Oct 2017: Initial Contact.
31 Oct 2017: Vendor replies and asks for more information.
1 Nov 2017: Details have been provided to the vendor.
2 Nov 2017: WordPress has been informed/WordPress team Requests more
information and receives them.
4 Nov 2017: WordPress acknowledges
4 Nov 2017: Vendor releases version 1.3 which fixes the issue.
8 Nov 2017: Public Disclosure

gr33tz for the payload @brutelogic (https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/)