Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Authenticated XSS Found in WordPress Plugin Facebook Widget

The WordPress plugin Facebook Widget (Widget for Facebook Page Feeds), which was recently closed on the WordPress plugin directory, is affected by an authenticated persistent Cross-Site Scripting (XSS), Plugin Vulnerabilities reports. 

The WordPress plugin Facebook Widget (Widget for Facebook Page Feeds), which was recently closed on the WordPress plugin directory, is affected by an authenticated persistent Cross-Site Scripting (XSS), Plugin Vulnerabilities reports. 

With nearly 1 million total downloads, the plugin was among the top 1000 most popular on WordPress, which puts a large number of websites and users at risk in the event attackers start targeting the vulnerability. 

The issue, Plugin Vulnerabilities explains, resides in the lack of proper handling of the security of shortcode attributes.

Specifically, the shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. The function’s first line of code, however, sets attributes from a shortcode to the variable $defaults without sanitizing the input. The code also shows output as HTML tag attributes that are not being escaped.

While WordPress does some sanitization for lower level users, it does not do the same for usage as HTML tag attributes, Plugin Vulnerabilities explains. 

The vulnerability could be abused to cause malicious JavaScript to be included on the page, which results in the authenticated persistent cross-site scripting (XSS). Proof-of-concept to demonstrate the attack has been published online. 

Because of dispute with WordPress Support Forum moderators, Plugin Vulnerabilities has disclosed the security bug publicly on their website, although they also left a message about that for the developer through the forum. 

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.