CVE-2021-24196 Social Slider Widget < 1.8.5 - Reflected XSS

Plugin Information

• Plugin Page: https://wordpress.org/plugins/instagram-slider-widget
• Tested Version: 1.8.4
• Patched Version: 1.8.5
• Installs: 90000+

Description

In the plugin settings page, the user input ‘token_error’ parameter is directly echoed without being sanitized. This allows an attacker to deliver malicious content to the vulnerable page via a reflected XSS attack.

Here’s the POC:

/wp-admin/admin.php?page=settings-wisw&token_error=<script>alert(document.cookie);</script>

When the server responds, the injected payloads are executed by the victim’s browser.

The vulnerability requires user interaction e.g. clicking a crafted link and only affects the WordPress administrators who are accessible to the plugin settings page (/wp-admin/admin.php?page=settings-wisw). The vendor has fixed the flaw with sanitization in 1.8.5.

Timeline

2021-01-12 Report to WordPress Plugin Review team

2021-01-13 Review team confirmed the issue and reported to vendor

2021-01-14 Vendor released 1.8.5 to fix the flaw

2021-01-21 Contacted the developer via email for publishing the issues. No further response

2021-03-14 Public disclosure

2021-03-17 Reported to wpscan and reserved CVE-2021-24196