WordPress Plugin Vulnerabilities

Easy Social Icons < 3.2.1 - Admin+ Stored Cross-Site Scripting in add icon

Description

The plugin does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed.

Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the contaminated icon.

Proof of Concept

Affects Plugins

Plugin icon
easy-social-icons
Fixed in 3.2.1

References

CVE
CVE-2022-0840

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
2.0 (low)

Miscellaneous

Original Researcher
qerogram
Submitter
qerogram
Submitter website
https://github.com/qerogram
Verified
Yes
WPVDB ID
9da884a9-b4dd-4de0-9afa-722f772cf2df

Timeline

Publicly Published
2022-03-21 (about 3 years ago)
Added
2022-03-21 (about 3 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2024-09-30
Title
AVIF & SVG Uploader < 1.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2025-04-09
Title
MyWorks WooCommerce Sync for QuickBooks Online < 2.9.2 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
DZS Ajaxer Lite – Ajaxify Your WordPress Site and Comment <= 1.04 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2022-08-08
Title
WP Hide & Security Enhancer < 1.8 - Reflected Cross-Site Scripting
Published
2025-05-01
Title
BuddyBoss Platform < 2.8.51 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bbp_topic_title'