Jump to content
KhiZaRix

WordPress Add Link To Facebook 1.215 Cross Site Scripting

Recommended Posts

Posted


Title: Stored XSS Vulnerability in Add Link to Facebook Wordpress Plugin

Author: Rohit Kumar

Plugin Homepage: http://wordpress.org/extend/plugins/add-link-to-facebook/

Severity: Medium

Version Affected: Version 1.215 and mostly prior to it.

Version Tested: Version 1.215

Version Patched : 1.215

Description:

Vulnerable Parameter
1. App ID
2. App Secret
3. Custom Picture URL
4. Default Picture URL
5. URL News Feed Icon

About Vulnerability
This plugin is vulnerable to Stored Cross Site Scripting Vulnerability. This issue was exploited when user
accessed to Add Link to Facebook Settings in Wordpress with Administrator privileges. A malicious
administrator can hijack other users sessions, take control of another administrators browser or install
malware on their computer.

Vulnerability Class:
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))

Steps to Reproduce:
After installing the plugin:
Goto Settings All in One Facebook
Input this payload in App ID :- ><script>alert(1)</script>
Click on the Save button.
After reloading the page you will see a Pop Up Box with 1 written on it.
Reload the page again to make sure its stored.

Change Log
https://wordpress.org/plugins/add-link-to-facebook/changelog/

Disclosure
09th March 2015

Source: http://packetstorm.wowhacker.com/1504-advisories/wpfacebook-xss.txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...