WordPress Plugin Vulnerabilities

Easy Social Feed < 6.5.6 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

Proof of Concept

Affects Plugins

Plugin icon
easy-facebook-likebox
Fixed in 6.5.6

References

CVE
CVE-2024-1219
URL
https://research.cleantalk.org/cve-2024-1219/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
https://research.cleantalk.org
Verified
Yes
WPVDB ID
ce4ac9c4-d293-4464-b6a0-82ddf8d4860b

Timeline

Publicly Published
2024-03-27 (about 1 year ago)
Added
2024-03-27 (about 1 year ago)
Last Updated
2024-04-12 (about 1 year ago)

Other

Published
Title
Published
2016-04-06
Title
Ultimate Member < 1.3.40 - Cross-Site Scripting (XSS)
Published
2024-04-15
Title
Shortcodes and extra features for Phlox theme < 2.15.8 - Contributor+ XSS via HTML Element
Published
2025-04-22
Title
HTML Forms < 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2015-08-10
Title
The Holiday Calendar <= 1.11.2 - Cross-Site Scripting (XSS)
Published
2021-08-31
Title
underConstruction < 1.19 - Reflected Cross-Site Scripting