Ultimate Instagram Feed <= 1.3 - Authenticated Cross-Site Scripting (XSS)

Author: OmarK The vulnerability lies in the “access_token” parameter and can cause reflected XSS vulnerability. The issue is on the file ultimate-instagram-feed/admin/partials/uif-access-token-display.php line 19: the vulnerable code is the following: echo $_GET[‘access_token’]; There is an echo of the variable “access_token”, which can be controlled by the user. This leads to reflected XSS vulnerability. A logged in Administrator, who will click on the specially crafted link, he will introduced with a video as presented in the attached PoC picture. When he will click the video, the JavaScript code (an alert box for this poc) will be executed. I used this kind of payload in order to bypass the Chrome XSS Auditor. The vulnerability has been tested against: - Ultimate Instagram Feed Version: 1.2 - WordPress 4.8.3 running Twenty Seventeen theme. - Chrome Version 61.0.3163.100 (Official Build) (64-bit) Timeline: 31 Oct 2017: Initial Contact. 31 Oct 2017: Vendor replies and asks for more information. 1 Nov 2017: Details have been provided to the vendor. 2 Nov 2017: WordPress has been informed/WordPress team Requests more information and receives them. 4 Nov 2017: WordPress acknowledges 4 Nov 2017: Vendor releases version 1.3 which fixes the issue. 8 Nov 2017: Public Disclosure gr33tz for the payload @brutelogic (https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/)