Alfie Feed Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Alfie – Feed Plugin for WordPress, affecting all versions through 1.2.1. The issue arises from the 'naam' parameter, which lacks proper nonce validation and input sanitization in the 'alfie_option_page()' function. This vulnerability allows unauthenticated attackers to inject malicious scripts that are saved in the plugin's database. The injected scripts are executed when a user views the page containing the compromised data, provided they can persuade a site administrator to click a link or perform a similar action.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, an unauthenticated user can submit a form through the 'alfie_option_page' in the WordPress admin area. The form must include a 'naam' parameter with the injected script. Once submitted, the script will be executed when the injected data is accessed, assuming an administrator is tricked into doing so.