Title: WordPress 'Facebook Like Box' plugin - CSRF/XSS Version: 2.8.2 Reported by: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2014/12/12 Download: https://wordpress.org/plugins/cardoza-facebook-like-box/ Notified WordPress: 2014/11/27 ---------------------------------------------------------------- ## Description: ---------------------------------------------------------------- Facebook Like Box is a social plugin that enables Facebook Page owners to attract and gain Likes from their own website. ## CSRF: ---------------------------------------------------------------- It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page. ## Stored XSS: ---------------------------------------------------------------- Settings data from the admin page is stored unsanitized and echo'ed on the plugin's admin page. This allows an attacker to perform XSS through these fields. PoC: Log in to a vulnerable site and press submit on this form: ## Solution ---------------------------------------------------------------- You should upgrade to version 2.8.3.