Discussion forum for WP Socializer plugin

Security issue: Unsanitized HTML output via WPS

User avatar
Posts: 1
Joined: 4 years ago

Security issue: Unsanitized HTML output via WPS

Postby RedofM3 » 4 years ago

My host states the WPS is injectable at the D parameter and the remote CGI is able to run scripts because there is not proper sanitizing using the HTTP method.

The remote web server hosts cgi scripts that fail to adequately sanitize request strings. By
leveraging this issue, an attacker may be able to include a remote file from a remote server and
execute arbitrary commands on the target host.

High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.

-------- output --------
<a href="http://twitter.com/share" class="twitter-share-button" da [...]
<!-- End WP Socializer Plugin - Retweet Button -->
[...] includes%3A+safety%2C+saving+money%2C+eco-friendly%2C+speed%2C+and+more+convenience...Will+you+choose+to+MAD%3F+It+is+time+to+Make+A+Difference.%0D%0A%0D%0A%0D%0AStatistics%0D%0ADo+you+want+to+become+a+statistic%3F+Read+and+decide+if+you+are+already+a+stat%20-%20http://mommasmoneymatters.com/mad-bill-pay/?D=http://w2DCfiZo.example.com/" title="Email this" target="_blank" rel="nofollow"class="wp-socializer-single"><img src="http://mommasmoneymatters.com/wp-content/plugins/wp-socializer/public/social-icons/16/email.png" alt="Email" border="0"/></a><span class="wp-socializer-label"><a href="mailto:?to=&amp;subject=What+Century+Is+It%3F&amp;body=If+the+list+of+benefits+includ [...]
<!-- Start WP Socializer | Floating bar - JS file-->
<script type="text/javascript" src="http://mommasmoneymatters.com/ [...]

I have a flood of messages for every instance of WPS (one for every WPS button on every page where it displays) which is close to 59,000. I think the spider just died rather than send any more messages.

I have no choice but disable until there is a fix because my security certificate will be invalidated if I do not. Please advise.
User avatar
Site Admin
Posts: 733
Joined: 7 years ago
Location: India

Re: Security issue: Unsanitized HTML output via WPS

Postby vaakash » 4 years ago

Sorry can't get your problem. Can you please explain it in a simple manner where it happens actually ???