Researchers at Plugin Vulnerabilities have discovered an authenticated Persistent Cross-Site Scripting (XSS) flaw in the Facebook Widget (Widget for Facebook Page Feeds).
The plugin is one of the 1,000 most popular plugins and it was closed on the WordPress Plugin Directory yesterday. After being informed of the closure, the experts analyzed the plugin and discovered it is affected by an authenticated persistent cross-site scripting (XSS) vulnerability. The flaw is caused by the improper handling of the security of
“While we were looking
Experts pointed out that the
For lower level users, WordPress does not sanitize them for usage
To protest against the moderators of the WordPress Support Forum’s, the experts decided to disclose the flaw and to share the proof-of-concept code.
“When logged in as an Author, which does not have the unfiltered_html capability, place the following shortcode on a post:
[fb_widget height='" onmouseover="alert(document.cookie)']
“When visiting the post on the