Advisory:

Reflected XSS in Social Pug – Easy Social Share Buttons could allow an attacker to do almost anything an admin user can

Vulnerability

Last revised:

This plugin takes input from $_GET and puts it directly into HTML without escaping it. This means that anybody who is able to convince an admin user to click on a link would be able to take control of their browser on that domain name and delete posts, add new admin users, etc..

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Log in as an admin user with this plugin activated, using a browser without reflected XSS prevention (i.e. Firefox). Visit this URL:

/wp-admin/admin.php?page=dpsp-toolkit&settings-updated=1&dpsp_message_id=0&dpsp_message_class=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Advisory timeline

  • 2016-02-24: Discovered
  • 2016-12-07: Reported via¬†https://devpups.com/support/
  • 2016-12-07: Requested CVE
  • 2016-12-08: Vendor reported issue fixed in 1.2.6
  • 2016-12-09: Advisory published
  • 2017-09-29: Requested CVE

Mitigation/further actions

Update to version 1.2.6 or later.