ALERT: Easy Social Icons XSS Vulnerability

Easy Social Icons XSS Vulnerability

Heads-up to all Easy Social Icons users who are using earlier versions prior to version 3.0.9.

If you happen to be one of the 40,000+ users of the Easy Social Icons WordPress plugin, please make sure that you immediately update to the latest version which at the time of writing this post is version 3.1.3.

You could be asking why you need to update? Well, the Wordfence Threat Intelligence team discovered an XSS or Cross-Site Scripting vulnerability on the mentioned plugin that allowed an attacker can add malicious JavaScript.


Below is a snippet from the Wordfence official blog regarding the XSS vulnerability:

The Easy Social Icons plugin options page contained a JavaScript designed to display a confirmation dialog when a user deleted an icon, and then redirect them to a URL that would perform the final deletion. It constructed this URL using the value of the $_SERVER['PHP_SELF'] variable. This differs slightly from yesterday’s vulnerability, which used $GLOBALS[‘PHP_SELF’].

function show_confirm(title, id)
     var rpath1 = "";
     var rpath2 = "";
     var r=confirm('Are you confirm to delete "'+title+'"');
     if (r==true)
         rpath1 = '';
         rpath2 = '&cnss-delete=y&id='+id;
         window.location = rpath1+rpath2;

Check out the Wordfence blog post for complete information regarding this Easy Social Icons XSS Vulnerability

If you don’t log in to your WordPress dashboard frequently, it’s best to turn on or enable auto-updates for your WordPress plugins. You can do that by going to Dashboard > Plugins then look for the “Automatic update” column then clicking on “Enable auto-updates“.

JP Habaradas

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.
View All Articles

Leave a Reply

Your email address will not be published.