Easy Social Share Buttons for WordPress XSS Vulnerability

## FULL DISCLOSURE

#Product :Easy Social Share Buttons for WordPress
#Exploit Author : Rahul Pratap Singh
#Version :3.2.5
#Home page Link :
http://codecanyon.net/item/easy-social-share-buttons-for-wordpress/6394476
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 21/4/2016

XSS Vulnerability:

----------------------------------------
Description:
------------------------------
----------
Following  parameters are not sanitized that leads to XSS Vulnerability.

----------------------------------------
Vulnerable Code:
----------------------------------------

 File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/modules/social-image-share/essb-social-image-share-selected.php
Found at line:16
echo '<link rel="canonical" href="'.$page_link.'"/>';
Found at line:17
echo '<meta property="og:url" content="'.$page_link.'"/>';
Found at line:18
echo '<meta property="twitter:url" content="'.$page_link.'"/>';
Found at line:20
echo '<meta property="og:image" content="http://'.$_GET['img'].'"/>';
Found at line:21
echo '<meta property="twitter:image" content="http://'.$_GET['img'].'"/>';
Found at line:38
echo '<meta http-equiv="refresh" content="0;url='.$_GET['url'].'">';

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/modules/social-metrics-lite/esml-render-results.php
Found at line:49
<input type="hidden" name="page" value="<?php echo $_REQUEST['page'] ?>" />

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/admin/essb-settings-shortcode-generator.php
Found at line:3
$active_shortcode = isset($_REQUEST['code']) ? $_REQUEST['code'] :
'easy-social-share';
Found at line:7
$scg->activate($active_shortcode);
Found at line:53
<input type="hidden" id="code" name="code" value="<?php echo
$active_shortcode; ?>"/>

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php
Found at line:8
$active_section = isset($_REQUEST['section']) ? $_REQUEST['section'] : '';
Found at line:24
echo '<input id="section" name="section" type="hidden"
value="'.$active_section.'"/>';

File Name: testfiles/Easy Social Share Buttons for WordPress
v3.2.5/easy-social-share-buttons3/lib/core/options/essb-options-interface.php
Found at line:9
$active_subsection = isset($_REQUEST['subsection']) ?
$_REQUEST['subsection'] : '';
Found at line:25
echo '<input id="subsection" name="subsection" type="hidden"
value="'.$active_subsection.'"/>';
Found at line:26
echo '<input id="tab" name="tab" type="hidden" value="'.$current_tab.'"/>';
----------------------------------------

Fix:
Update to 3.5

Vulnerability Disclosure Timeline:
→ March 12, 2016  – Bug discovered, initial report to Vendor
→ March 14, 2016  – Vendor Acknowledged
→ March 30, 2016  – Vendor Deployed a Patch

Pub Ref:
https://0x62626262.wordpress.com/2016/04/21/easy-social-share-buttons-for-wordpress-xss-vulnerability/
http://fb.creoworx.com/essb/change-log/