WordPress Plugin Facebook Widget affected by authenticated XSS

June 20, 2019 0 Comments


ecurity experts at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in Facebook Widget.

Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds).

The plugin is one of the 1,000 most popular plugins and it was closed on the WordPress Plugin Directory yesterday. After being informed of the closure, the experts analyzed the plugin and discovered it is affected by an authenticated persistent cross-site scripting (XSS) vulnerability. The flaw is caused by the improper handling of the security of shortcode attributes.

“While we were looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use this service, we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability due to not properly handling the security of shortcode attributes.” read the analysis published by Plugin Vulnerabilities.

Experts pointed out that the shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. Analyzing the function, experts found in the first line the code that sets attributes from a shortcode to the variable $defaults without sanitizing the input.

For lower level users, WordPress does not sanitize them for usage as HTML tag attributes. The code in the last line shows output as HTML tag attributes that are not being escaped.

The flaw could be exploited by an attacker to trigger the execution of malicious JavaScript that has to be included on the page.

To protest against the moderators of the WordPress Support Forum’s, the experts decided to disclose the flaw and to share the proof-of-concept code.

“When logged in as an Author, which does not have the unfiltered_html capability, place the following shortcode on a post:

[fb_widget height='" onmouseover="alert(document.cookie)']


“When visiting the post on the frontend, when hovering over the facebook widget an alert box with any available cookies will be shown.” reads the analysis”