CVSS Summary
| Score | 5.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | None |
Advisory:
Reflected XSS in Social Pug – Easy Social Share Buttons could allow an attacker to do almost anything an admin user can
Vulnerability
Last revised:
This plugin takes input from $_GET and puts it directly into HTML without escaping it. This means that anybody who is able to convince an admin user to click on a link would be able to take control of their browser on that domain name and delete posts, add new admin users, etc..
Current state: Fixed
Proof of concept
Log in as an admin user with this plugin activated, using a browser without reflected XSS prevention (i.e. Firefox). Visit this URL:
/wp-admin/admin.php?page=dpsp-toolkit&settings-updated=1&dpsp_message_id=0&dpsp_message_class=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Advisory timeline
- 2016-02-24: Discovered
- 2016-12-07: Reported via https://devpups.com/support/
- 2016-12-07: Requested CVE
- 2016-12-08: Vendor reported issue fixed in 1.2.6
- 2016-12-09: Advisory published
- 2017-09-29: Requested CVE
Mitigation/further actions
Update to version 1.2.6 or later.