Easy Social Icons XSS Vulnerability

Heads-up to all Easy Social Icons users who are using earlier versions prior to version 3.0.9.

If you happen to be one of the 40,000+ users of the Easy Social Icons WordPress plugin, please make sure that you immediately update to the latest version which at the time of writing this post is version 3.1.3.

You could be asking why you need to update? Well, the Wordfence Threat Intelligence team discovered an XSS or Cross-Site Scripting vulnerability on the mentioned plugin that allowed an attacker can add malicious JavaScript.

EASY SOCIAL ICONS XSS VULNERABILITY

Below is a snippet from the Wordfence official blog regarding the XSS vulnerability:

The Easy Social Icons plugin options page contained a JavaScript designed to display a confirmation dialog when a user deleted an icon, and then redirect them to a URL that would perform the final deletion. It constructed this URL using the value of the $_SERVER['PHP_SELF'] variable. This differs slightly from yesterday’s vulnerability, which used $GLOBALS[‘PHP_SELF’].

function show_confirm(title, id)
{
var rpath1 = "";
var rpath2 = "";
var r=confirm('Are you confirm to delete "'+title+'"');
if (r==true)
{
rpath1 = '';
rpath2 = '&cnss-delete=y&id='+id;
window.location = rpath1+rpath2;
}
}

Check out the Wordfence blog post for complete information regarding this Easy Social Icons XSS Vulnerability

If you don’t log in to your WordPress dashboard frequently, it’s best to turn on or enable auto-updates for your WordPress plugins. You can do that by going to Dashboard > Plugins and look for the “Automatic update” column then click on “Enable auto-updates“.

JaypeeOnline is supported by its audience. When you click on the advertisements or purchase through links on our site, we may earn an affiliate commission. Learn more

Share:

administrator

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.