Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds).
The plugin is one of the 1,000 most popular plugins and it was closed on the WordPress Plugin Directory yesterday. After being informed of the closure, the experts analyzed the plugin and discovered it is affected by an authenticated persistent cross-site scripting (XSS) vulnerability. The flaw is caused by the improper handling of the security of shortcode attributes.
“While we were looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability due to not properly handling the security of shortcode attributes.” read the analysis published by Plugin Vulnerabilities.
Experts pointed out that the shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. Analyzing the function, experts found in the first line the code that sets attributes from a shortcode to the variable $defaults without sanitizing the input.
For lower level users, WordPress does not sanitize them for usage as HTML tag attributes. The code in the last line shows output as HTML tag attributes that are not being escaped.
The flaw could be exploited by an attacker to trigger the execution of malicious JavaScript that has to be included on the page.
To protest against the moderators of the WordPress Support Forum’s, the experts decided to disclose the flaw and to share the proof-of-concept code.
“When logged in as an Author, which does not have the unfiltered_html capability, place the following shortcode on a post:
[fb_widget height='" onmouseover="alert(document.cookie)']
“When visiting the post on the frontend, when hovering over the facebook widget an alert box with any available cookies will be shown.” reads the analysis”
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Facebook Widget, XSS)
[adrotate banner=”5″]
[adrotate banner=”13″]
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
Japan's CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads…
Government agencies revealed that Akira ransomware has breached over 250 entities worldwide and received over…
Threat actors target government entities in the Middle East with a new backdoor dubbed CR4T…
This website uses cookies.