Easy Social Feed < 6.2.7 – Reflected Cross-Site Scripting (XSS)

Description

The plugin does not sanitise and escape a parameter before outputting back in an admin dashboard page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged admin or editor

Proof of Concept

https://example.com/wp-admin/admin.php?page=easy-facebook-likebox&access_token=a&type=</script><script>alert(/XSS/)</script>

Affects Plugins

easy-facebook-likebox

Fixed in 6.2.7

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.1 (high)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

6dd00198-ef9b-4913-9494-e08a95e7f9a0

Timeline

Publicly Published

2021-08-16 (about 4 years ago)

Added

2022-01-08 (about 3 years ago)

Last Updated

2022-01-08 (about 3 years ago)

Other

Published

Title

Published

2023-11-17

Title

wpDiscuz < 7.6.13 - Admin+ Stored XSS

Published

2020-05-07

Title

Iframe < 4.5 - Authenticated Stored Cross Site Scripting (XSS)

Published

2022-03-02

Title

Amelia < 1.0.47 - Unauthenticated Stored XSS via lastName

Published

2025-04-02

Title

Glossy Blog <= 1.0.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2024-11-27

Title

Awesome Event Booking < 2.7.2 - Reflected Cross-Site Scripting