Wrong content-type to XSS

WordPress Social Sharing Plugin – Sassy Social Share, which currently has over 100000 installations just fixed a Cross Site Scripting Vulnerability. This bug allows attackers to send custom links that direct unsuspecting users toward a vulnerable page. From this page, they often employ a variety of methods to trigger their proof of concept.

Let’s take a look to the patch:

+++ b/sassy-social-share.new/public/class-sassy-social-share-public.php
@@ -1511,6 +1511,7 @@ class Sassy_Social_Share_Public {
        private function ajax_response( $response ) {
                $response = apply_filters( 'heateor_sss_ajax_response_filter', $response );
+               header( 'Content-Type: application/json' );
                die( json_encode( $response ) );

        }
@@ -1540,7 +1541,7 @@ class Sassy_Social_Share_Public {
                if ( isset( $_GET['urls'] ) && count( $_GET['urls'] ) > 0 ) {
                        $target_urls = array_unique( $_GET['urls'] );
                        foreach ( $target_urls as $k => $v ) {
-                               $target_urls[$k] = esc_attr( $v );
+                               $target_urls[esc_attr( $k )] = esc_attr( $v );
                        }
                }

JSON data returned to the user didn’t have a content type defined in the function _ajaxresponse() and the default is html. This together with the following snipped allowing any authenticated user consume that endpoint makes this bug really easy for attackers to exploit:

includes/class-sassy-social-share.php
205:        add_action( 'wp_ajax_heateor_sss_sharing_count', array( $plugin_public, 'fetch_share_counts' ) );
206:        add_action( 'wp_ajax_nopriv_heateor_sss_sharing_count', array( $plugin_public, 'fetch_share_counts' ) );

Because of the nature of the bug, and due this issue was already fixed, we can share a simple PoC that shows how a malicious link abusing this vulnerability might be presented:

http://vulnerablesite.com/wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[<h onmouseover%3Dalert(1)>]=hola.com&urls[1]=hola2.com

If you have an old version of this plugin installed please update to the latest version (3.3.4) asap. You can add a WAF as a second layer of protection and virtually patch the vulnerability.