• Vulnerability: XSS
  • Affected Software: Blog2Social (30,000+ active installations)
  • Affected Version: 5.0.2
  • Patched Version: 5.0.3
  • Risk: Medium
  • Vendor Contacted: 10/25/2018
  • Vendor Fix: 11/13/2018
  • Public Disclosure: 02/05/2019
CVSS

6.1 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

The Blog2Social WordPress plugin is vulnerable to reflected XSS as it echoes the b2s_update_publish_date parameter without proper encoding.

Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.

Proof of Concept
http://192.168.0.103/wordpress/wp-admin/admin.php?page=blog2social-ship&postId=70&b2s_action=1&b2s_update_publish_date='"><img src=x onerror=alert(1)>
Code
blog2social/includes/Loader.php:                    
echo '<div class="updated"><p>' . __('This post will be shared into your social media on', 'blog2social') . ' ' . $_GET['b2s_update_publish_date'] . ' <a target="_blank" href="' . $b2sLink . 'blog2social-sched">' . __('show details', 'blog2social') . '</a></p></div>';
Timeline
  • 10/25/2018 Sent advisory
  • 10/26/2018 Vendor confirms recipt of advisory
  • 11/13/2018 Vendor releases fix
  • 02/05/2019 Confirmed Fix & Disclosure