Favicon by RealFaviconGenerator < 1.3.23 - Reflected Cross-Site Scripting

Vulnerability

The Favicon by RealFaviconGenerator WordPress plugin versions before 1.3.23 fail to properly sanitize and escape the json_result_url parameter before outputting it back in the Favicon admin dashboard. This leads to a reflected Cross-Site Scripting (XSS) vulnerability. The vulnerable code path is reachable when an administrator accesses the plugin's settings page and the parameter is reflected without proper encoding [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a JavaScript payload in the json_result_url parameter and tricking an authenticated administrator into clicking it. No additional privileges or network position beyond the ability to deliver the link is required. The payload executes in the context of the admin's browser session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the WordPress admin dashboard. This can lead to session hijacking, defacement, or theft of sensitive information such as authentication cookies or admin credentials. The attacker gains the same privileges as the targeted administrator.

Mitigation

The vulnerability is fixed in version 1.3.23 of the plugin. Users should update to this version or later immediately. No workarounds are documented. The plugin is actively maintained, and the latest version as of the reference is 1.3.48 [1].