WordPress Plugin Facebook Widget affected by authenticated XSS

Security experts at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in Facebook Widget.

Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds).

The plugin is one of the 1,000 most popular plugins and it was closed on the WordPress Plugin Directory yesterday. After being informed of the closure, the experts analyzed the plugin and discovered it is affected by an authenticated persistent cross-site scripting (XSS) vulnerability. The flaw is caused by the improper handling of the security of shortcode attributes.

“While we were looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability due to not properly handling the security of shortcode attributes.” read the analysis published by Plugin Vulnerabilities.

Experts pointed out that the shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. Analyzing the function, experts found in the first line the code that sets attributes from a shortcode to the variable $defaults without sanitizing the input.

For lower level users, WordPress does not sanitize them for usage as HTML tag attributes. The code in the last line shows output as HTML tag attributes that are not being escaped.

The flaw could be exploited by an attacker to trigger the execution of malicious JavaScript that has to be included on the page.

To protest against the moderators of the WordPress Support Forum’s, the experts decided to disclose the flaw and to share the proof-of-concept code.

“When logged in as an Author, which does not have the unfiltered_html capability, place the following shortcode on a post:

[fb_widget height='" onmouseover="alert(document.cookie)']

“When visiting the post on the frontend, when hovering over the facebook widget an alert box with any available cookies will be shown.” reads the analysis”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Facebook Widget, XSS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.