Heads-up to all Easy Social Icons users who are using earlier versions prior to version 3.0.9.
If you happen to be one of the 40,000+ users of the Easy Social Icons WordPress plugin, please make sure that you immediately update to the latest version which at the time of writing this post is version 3.1.3.
EASY SOCIAL ICONS XSS VULNERABILITY
Below is a snippet from the Wordfence official blog regarding the XSS vulnerability:
$_SERVER['PHP_SELF']variable. This differs slightly from yesterday’s vulnerability, which used
function show_confirm(title, id)
var rpath1 = "";
var rpath2 = "";
var r=confirm('Are you confirm to delete "'+title+'"');
rpath1 = '';
rpath2 = '&cnss-delete=y&id='+id;
window.location = rpath1+rpath2;
Check out the Wordfence blog post for complete information regarding this Easy Social Icons XSS Vulnerability
If you don’t log in to your WordPress dashboard frequently, it’s best to turn on or enable auto-updates for your WordPress plugins. You can do that by going to Dashboard > Plugins and look for the “Automatic update” column then click on “Enable auto-updates“.