WordPress Easy Social Share Buttons 3.2.5 XSS
Posted on 26 April 2016
## FULL DISCLOSURE #Product :Easy Social Share Buttons for WordPress #Exploit Author : Rahul Pratap Singh #Version :3.2.5 #Home page Link : http://codecanyon.net/item/easy-social-share-buttons-for-wordpress/6394476 #Website : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Date : 21/4/2016 XSS Vulnerability: ---------------------------------------- Description: ---------------------------------------- Following parameters are not sanitized that leads to XSS Vulnerability. ---------------------------------------- Vulnerable Code: ---------------------------------------- File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/modules/social-image-share/essb-social-image-share-selected.php Found at line:16 echo '<link rel="canonical" href="'.$page_link.'"/>'; Found at line:17 echo '<meta property="og:url" content="'.$page_link.'"/>'; Found at line:18 echo '<meta property="twitter:url" content="'.$page_link.'"/>'; Found at line:20 echo '<meta property="og:image" content="http://'.$_GET['img'].'"/>'; Found at line:21 echo '<meta property="twitter:image" content="http://'.$_GET['img'].'"/>'; Found at line:38 echo '<meta http-equiv="refresh" content="0;url='.$_GET['url'].'">'; File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/modules/social-metrics-lite/esml-render-results.php Found at line:49 <input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" /> File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/admin/essb-settings-shortcode-generator.php Found at line:3 $active_shortcode = isset($_REQUEST['code']) ? $_REQUEST['code'] : 'easy-social-share'; Found at line:7 $scg->activate($active_shortcode); Found at line:53 <input type="hidden" id="code" name="code" value="<?php echo $active_shortcode; ?>"/> File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php Found at line:8 $active_section = isset($_REQUEST['section']) ? $_REQUEST['section'] : ''; Found at line:24 echo '<input id="section" name="section" type="hidden" value="'.$active_section.'"/>'; File Name: testfiles/Easy Social Share Buttons for WordPress v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php Found at line:9 $active_subsection = isset($_REQUEST['subsection']) ? $_REQUEST['subsection'] : ''; Found at line:25 echo '<input id="subsection" name="subsection" type="hidden" value="'.$active_subsection.'"/>'; Found at line:26 echo '<input id="tab" name="tab" type="hidden" value="'.$current_tab.'"/>'; ---------------------------------------- Fix: Update to 3.5 Vulnerability Disclosure Timeline: → March 12, 2016 – Bug discovered, initial report to Vendor → March 14, 2016 – Vendor Acknowledged → March 30, 2016 – Vendor Deployed a Patch Pub Ref: https://0x62626262.wordpress.com/2016/04/21/easy-social-share-buttons-for-wordpress-xss-vulnerability/ http://fb.creoworx.com/essb/change-log/
