Part 1 – Reflected XSS in underConstruction Plugin
This post examines a cross site scripting vulnerability that exploits the PHP_SELF variable. Below describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF.
On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.
A patched version, 1.19, was released on August 31, 2021.
A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.
If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.
Original source and technical explanation: https://www.wordfence.com/blog/2021/09/reflected-xss-in-underconstruction-plugin
Part 2 – Reflected XSS in Easy Social Icons
On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.
An initial patch, version 3.0.9, was released on August 31, 2021.
A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.
Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.
Original source and technical explanation: https://www.wordfence.com/blog/2021/09/php_selfish-part-2-reflected-xss-in-easy-social-icons