Back to list
Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin
Apr 21 2015 06:05PM
kumarrohit2255 gmail com
Title: Stored XSS Vulnerability in Add Link to Facebook Wordpress Plugin
Author: Rohit Kumar
Plugin Homepage: http://wordpress.org/extend/plugins/add-link-to-facebook/
Version Affected: Version 1.215 and mostly prior to it.
Version Tested: Version 1.215
Version Patched : 1.215
1. App ID
2. App Secret
3. Custom Picture URL
4. Default Picture URL
5. URL News Feed Icon
This plugin is vulnerable to Stored Cross Site Scripting Vulnerability. This issue was exploited when user
accessed to ?Add Link to Facebook? Settings in Wordpress with Administrator privileges. A malicious
administrator can hijack other user?s sessions, take control of another administrator?s browser or install
malware on their computer.
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XS
Steps to Reproduce:
After installing the plugin:
Goto Settings All in One Facebook
Input this payload in ?App ID? :- ?><script>alert(1)</script>
Click on the Save button.
After reloading the page you will see a Pop Up Box with 1 written on it.
Reload the page again to make sure it?s stored.
09th March 2015
[ reply ]
Copyright 2010, SecurityFocus