Due to a lack of input sanitization in the
includes/instalinker-admin-preview.php file, it is possible to utilise a reflected XSS vector to run a script in the target user’s browser and potentially compromise the WordPress installation.
There are numerous query string parameters that can be abused to use this vector, the first one can be found on line 17:
<?php echo !empty($_GET['client_id']) ? 'data-il-client-id="' . $_GET['client_id'] . '"' : ""; ?>
1.1.1 and below
Upgrade to version 1.1.2
Proof of Concept
WordPress Exploit Framework Module
- 2016-02-06: Found Original Publication of the vulnerability and contacted the vendor to make them aware along with a patch to fix the issue.
- 2016-02-07: Vendor responded and released version 1.1.2 which includes the patch.