Sociable <= - Admin+ Stored Cross-Site Scripting

ID WPVDB-ID:12F1ED97-D392-449D-B25C-42D241693888
Type wpvulndb
Reporter Genubhau Wayal
Modified 2021-09-20T05:50:13


The plugin does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed


Put the following payload in the "Background Color" or "Labels Color" Skyscraper settings of the plugin in the (/wp-admin/options-general.php?page=skyscraper_options): "> Other settings might be affected as well