Authenticated XSS Found in WordPress Plugin Facebook Widget

The WordPress plugin Facebook Widget (Widget for Facebook Page Feeds), which was recently closed on the WordPress plugin directory, is affected by an authenticated persistent Cross-Site Scripting (XSS), Plugin Vulnerabilities reports. 

With nearly 1 million total downloads, the plugin was among the top 1000 most popular on WordPress, which puts a large number of websites and users at risk in the event attackers start targeting the vulnerability. 

The issue, Plugin Vulnerabilities explains, resides in the lack of proper handling of the security of shortcode attributes.

Specifically, the shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. The function’s first line of code, however, sets attributes from a shortcode to the variable $defaults without sanitizing the input. The code also shows output as HTML tag attributes that are not being escaped.

While WordPress does some sanitization for lower level users, it does not do the same for usage as HTML tag attributes, Plugin Vulnerabilities explains. 

The vulnerability could be abused to cause malicious JavaScript to be included on the page, which results in the authenticated persistent cross-site scripting (XSS). Proof-of-concept to demonstrate the attack has been published online. 

Because of dispute with WordPress Support Forum moderators, Plugin Vulnerabilities has disclosed the security bug publicly on their website, although they also left a message about that for the developer through the forum.