WordPress Facebook Like Button 2.32 Cross Site Scripting

2015-12-17T00:00:00
ID PACKETSTORM:134892
Type packetstorm
Reporter Madhu Akula
Modified 2015-12-17T00:00:00

Description

                                        
                                            `Plugin Name : Facebook Like Button  
  
Effected Version : 2.32 (and most probably lower version's if any)  
  
Vulnerability : A3-Cross-Site Scripting (XSS)  
  
Identified by : Madhu Akula  
  
  
  
Technical Details  
  
Minimum Level of Access Required : Administrator  
  
PoC - (Proof of Concept) :  
  
The following field put the payload as below  
  
  
http://localhost/wp-admin/admin.php?page=facebook-button-plugin.php  
  
  
fcbkbttn_link = ‘><script>alert(1)</script>  
  
  
Vulnerable Parameter : fcbkbttn_link  
  
  
Type of XSS : Reflected  
  
Fixed in : 2.33  
  
http://wordpress.org/plugins/facebook-button-plugin/changelog/  
  
Disclosure Timeline  
  
Vendor Contacted : 2014-08-04  
  
Plugin Status : Updated on 2014-08-07  
  
Public Disclosure : October 3, 2015  
  
CVE Number : Not assigned yet  
  
Plugin Description :  
  
Facebook Like Button Plugin allows you to add a Follow button the easiest way. If your life is tightly connected with your Facebook account, our plugin is the best solution for you. It contains minimum settings. Just a few clicks and voila - the Facebook button is on your site.  
`