Fancy Comments WordPress < 1.2.15 – Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

Proof of Concept

Put the below shortcode in a post as a contributor or above

[Fancy_Facebook_Comments heading_tag='script' title='alert(/XSS/)']

Affects Plugins

fancy-facebook-comments

Fixed in 1.2.15

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

5.9 (medium)

Miscellaneous

Verified

Yes

WPVDB ID

86cad9b9-eaa5-4775-8ebf-e9e967cfb439

Timeline

Publicly Published

2023-12-28 (about 2 years ago)

Added

2024-02-01 (about 2 years ago)

Last Updated

2024-02-01 (about 2 years ago)

Other

Published

Title

Published

2015-08-24

Title

Portfolio Gallery < 1.5.9 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2023-04-19

Title

Easy Ad Manager <= 1.0.0 - Admin+ Stored XSS

Published

2023-02-23

Title

Simple YouTube Responsive < 3.0 - Contributor+ Stored XSS

Published

2024-03-15

Title

WEN Responsive Columns < 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Published

2024-11-18

Title

HTML5 Lyrics Karaoke Player <= 2.4 - Reflected Cross-Site Scripting