Social Rocket – Social Sharing Plugin <= 1.3.4.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via id

This research plan outlines the steps to demonstrate a Stored Cross-Site Scripting (XSS) vulnerability in the Social Rocket plugin (<= 1.3.4.2). The vulnerability allows a Subscriber-level user to inject malicious scripts via the id parameter in a settings-save AJAX action, which then executes when an administrator views the Click to Tweet settings page.

1. Vulnerability Summary

• ID: CVE-2026-1923
• Vulnerability: Authenticated Stored XSS
• Vulnerable Parameter: id
• Affected Endpoint: wp-admin/admin-ajax.php via the social_rocket_tweet_settings_save action.
• Cause: The plugin registers AJAX handlers for managing "Click to Tweet" settings/styles but fails to perform capability checks (like current_user_can('manage_options')). Additionally, it stores the id parameter with insufficient sanitization and later outputs it in the admin interface without proper escaping.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: social_rocket_tweet_settings_save
• Authentication: Required (Subscriber or higher)
• Payload Parameter: id
• Vulnerable Context: The id is used as a key or identifier for custom Click to Tweet styles and is rendered in the admin dashboard (likely within the "Click to Tweet" settings tab).

3. Code Flow

1. Registration: Social_Rocket_Admin::__construct (in admin/includes/class-social-rocket-admin.php) registers several AJAX actions, including social_rocket_tweet_settings_save.
2. Access: These actions are registered using wp_ajax_, making them accessible to any logged-in user.
3. Lack of Authorization: The handler function tweet_settings_save (and others like tweet_settings_update) likely verifies a nonce but lacks a current_user_can check.
4. Storage: The id parameter is received from $_POST['id'] and saved into the WordPress options table (likely within an array under social_rocket_settings or social_rocket_tweet_styles).
5. Sink: When an administrator navigates to Social Rocket > Click to Tweet, the plugin retrieves the saved styles and iterates through them. The id is printed into the HTML (e.g., as part of a list or a data-attribute) without using esc_attr() or esc_html().

4. Nonce Acquisition Strategy

The plugin localizes a JavaScript object named socialRocketAdmin in the WordPress admin area. This object contains the necessary nonce.

1. Preparation: Since the plugin enqueues its admin scripts on all admin pages (including the user profile), a Subscriber can access it.
2. Navigation: Use the browser to log in as a Subscriber and navigate to /wp-admin/profile.php.
3. Extraction: Use browser_eval to extract the nonce from the socialRocketAdmin object.
   • Variable Name: socialRocketAdmin
   • Nonce Key: nonce (verifiable via browser_eval("window.socialRocketAdmin"))
   • Action String: Likely social_rocket_nonce or similar (localized in the nonce key).

5. Exploitation Strategy

1. Login: Authenticate as a Subscriber user.
2. Nonce Extraction:
   • Navigate to /wp-admin/profile.php.
   • Execute: NONCE = browser_eval("window.socialRocketAdmin.nonce").
3. Injection: Send a POST request to admin-ajax.php to save a malicious "tweet style".
   • URL: http://localhost:8080/wp-admin/admin-ajax.php
   • Method: POST
   • Content-Type: application/x-www-form-urlencoded
   • Body:

     action=social_rocket_tweet_settings_save
     &nonce=[EXTRACTED_NONCE]
     &id=style-"><img src=x onerror=alert(document.domain)>
     &settings[tweet_text]=Test
     &settings[tweet_username]=testuser
     

4. Triggering: Log in as an Administrator and navigate to the plugin settings:
   • URL: /wp-admin/admin.php?page=social_rocket_click_to_tweet

6. Test Data Setup

• User: A user with the subscriber role.
• Plugin State: Ensure Social Rocket is active. No existing "Click to Tweet" styles are required, as the exploit creates one.

7. Expected Results

• The AJAX request should return a success response (likely a JSON object with success: true).
• The payload style-"><img src=x onerror=alert(document.domain)> will be stored in the database.
• When an administrator views the "Click to Tweet" settings page, an alert box showing the document domain will appear.

8. Verification Steps

1. Database Check: Use WP-CLI to inspect the stored settings:

   wp option get social_rocket_tweet_settings --format=json
   

   Confirm that the id key in the settings array contains the malicious payload.
2. HTML Inspection: Use http_request as an administrator to fetch the settings page and check for the unescaped payload:

   # Look for the onerror attribute in the response body
   http_request(url="http://localhost:8080/wp-admin/admin.php?page=social_rocket_click_to_tweet")
   

9. Alternative Approaches

• Shortcode Context: If the id is also echoed when the [social_rocket_tweet id="..."] shortcode is used on the frontend, check if the injection triggers for any user viewing a post containing that shortcode.
• tweet_settings_update: If save is restricted, attempt the social_rocket_tweet_settings_update action, which likely follows the same vulnerable pattern.
• Parameter Variation: If the id parameter itself is escaped, check if keys inside the settings array (e.g., settings[tweet_text]) are also unescaped when rendered in the admin preview.