WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)

vendor:

AccessPress Social Icons

by:

Murat DEMIRCI

8.8

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: AccessPress Social Icons

Affected Version From: 1.8.2002

Affected Version To: 1.8.2002

Patch Exists: YES

Related CWE:

CPE: a:accesspressthemes:accesspress_social_icons

Metasploit:

Other Scripts:

Platforms Tested: Windows 10

2021

WordPress Plugin AccessPress Social Icons 1.8.2 – ‘icon title’ Stored Cross-Site Scripting (XSS)

A stored Cross-Site Scripting (XSS) vulnerability exists in AccessPress Social Icons 1.8.2 WordPress plugin. An attacker can inject malicious JavaScript code into the 'icon title' field and the code will be stored in the database. When a user visits the page, the malicious code will be executed.

Mitigation:

Update to the latest version of AccessPress Social Icons plugin.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)
# Date: 11/12/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://accesspressthemes.com/
# Software Link: https://wordpress.org/plugins/accesspress-social-icons/
# Version: 1.8.2
# Tested on : Windows 10

#Poc:

1. Install Latest WordPress
2. Install and activate AccessPress Social Icons 1.8.2
3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields.
4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list".

<img src=x onerror=confirm('xss')> 

4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen.