Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

WordPress Plugin Facebook Widget affected by authenticated XSS

Security experts at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in Facebook Widget. Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds). The plugin is one of the 1,000 most popular plugins and it was closed on the […]

ShapedPlugin plugin

Security experts at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in Facebook Widget.

Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds).

The plugin is one of the 1,000 most popular plugins and it was closed on the WordPress Plugin Directory yesterday. After being informed of the closure, the experts analyzed the plugin and discovered it is affected by an authenticated persistent cross-site scripting (XSS) vulnerability. The flaw is caused by the improper handling of the security of shortcode attributes.

“While we were looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability due to not properly handling the security of shortcode attributes.” read the analysis published by Plugin Vulnerabilities.

Experts pointed out that the shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. Analyzing the function, experts found in the first line the code that sets attributes from a shortcode to the variable $defaults without sanitizing the input.

For lower level users, WordPress does not sanitize them for usage as HTML tag attributes. The code in the last line shows output as HTML tag attributes that are not being escaped.

The flaw could be exploited by an attacker to trigger the execution of malicious JavaScript that has to be included on the page.

To protest against the moderators of the WordPress Support Forum’s, the experts decided to disclose the flaw and to share the proof-of-concept code.

“When logged in as an Author, which does not have the unfiltered_html capability, place the following shortcode on a post:

[fb_widget height='" onmouseover="alert(document.cookie)']

“When visiting the post on the frontend, when hovering over the facebook widget an alert box with any available cookies will be shown.” reads the analysis”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Facebook Widget, XSS)

[adrotate banner=”5″]

[adrotate banner=”13″]