Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PoC

1. Go to “Ultimate Social Media Icons” 2. Under “Which icons do you want to show on your site?”, select X 3. Under “What do you want the icons to do?”, in the field “Follow me on X” add the payload: (https://asd\\\\\\\\\\\\\"onmouseover=alert(112312)//) 4. Save the settings 5. Then add the “Ultimate Social Media Icons” widget to your site’s widget area 6. View the frontend of the site and move your mouse over the X menu and submenu to see the XSS