Favicon by RealFaviconGenerator < 1.3.22 - Reflected Cross-Site Scripting (XSS)
Description
The plugin does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator. Timeline (WPScanTeam): June 28th, 2021 - Details sent to vendor July 9th, 2021 - Escalated to WP due to lack of response from vendor July 27th, 2021 - No update, disclosing August 9th, 2021 - v1.3.22 released, fixing the issue
Proof of Concept
Affected parameter: json_result_url https://example.com/wp-admin/themes.php?page=favicon-by-realfavicongenerator%2Fadmin%2Fclass-favicon-by-realfavicongenerator-admin.phpfavicon_appearance_menu&json_result_url=%3Cimg%20src=x%20onerror=alert(document.domain)%3E
Affects Plugins
Fixed in version 1.3.22✓
Classification
Miscellaneous
Original Researcher
renniepak
Submitter
renniepak
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-07-27 (about 2 months ago)
Added
2021-07-27 (about 2 months ago)
Last Updated
2021-08-10 (about 2 months ago)