WP Social Ninja Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the WP Social Ninja plugin for WordPress, specifically in versions through 3.20.3. This vulnerability arises from inadequate input sanitization and output escaping of externally sourced content. As a result, unauthenticated attackers can inject arbitrary web scripts into pages, which will execute when a user accesses the affected page. The exploitation requires the attacker to post malicious content to a connected Google Business Profile or Facebook page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, upload a malicious script to a Google Business Profile or Facebook page linked to the WordPress site. Then, use the WP Social Ninja plugin to import reviews or content from that profile or page, which will trigger the execution of the injected script.

Remediation

Users are advised to update the WP Social Ninja plugin to version 4.0.0 or later, where this vulnerability has been patched.