ALERT: Easy Social Icons XSS Vulnerability

Easy Social Icons XSS Vulnerability

Heads-up to all Easy Social Icons users who are using earlier versions prior to version 3.0.9.

If you happen to be one of the 40,000+ users of the Easy Social Icons WordPress plugin, please make sure that you immediately update to the latest version which at the time of writing this post is version 3.1.3.

You could be asking why you need to update? Well, the Wordfence Threat Intelligence team discovered an XSS or Cross-Site Scripting vulnerability on the mentioned plugin that allowed an attacker can add malicious JavaScript.

EASY SOCIAL ICONS XSS VULNERABILITY

Below is a snippet from the Wordfence official blog regarding the XSS vulnerability:

The Easy Social Icons plugin options page contained a JavaScript designed to display a confirmation dialog when a user deleted an icon, and then redirect them to a URL that would perform the final deletion. It constructed this URL using the value of the $_SERVER['PHP_SELF'] variable. This differs slightly from yesterday’s vulnerability, which used $GLOBALS[‘PHP_SELF’].

function show_confirm(title, id)
 {
     var rpath1 = "";
     var rpath2 = "";
     var r=confirm('Are you confirm to delete "'+title+'"');
     if (r==true)
     {
         rpath1 = '';
         rpath2 = '&cnss-delete=y&id='+id;
         window.location = rpath1+rpath2;
     }
 }

Check out the Wordfence blog post for complete information regarding this Easy Social Icons XSS Vulnerability

If you don’t log in to your WordPress dashboard frequently, it’s best to turn on or enable auto-updates for your WordPress plugins. You can do that by going to Dashboard > Plugins then look for the “Automatic update” column then clicking on “Enable auto-updates“.

This post may contain affiliate links that allow us to earn commissions at no additional cost to you. We are reader-supported so when you buy through the affiliate links, you are also helping or supporting us. 

Leave a Reply

Your email address will not be published. Required fields are marked *

JaypeeOnline