WordPress Manager for Icomoon Plugin <= 2.0 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Manager for IcoMoon plugin for WordPress, affecting versions 2.0 and earlier. The flaw allows authenticated users with contributor-level access or higher to inject arbitrary web scripts via the plugin's icon management features. The vulnerability is present in the plugin's handling of user-supplied input when importing or managing icon fonts, which is not properly sanitized before being stored and later rendered in the admin interface. [1]

Exploitation

An attacker must have a WordPress account with at least the contributor role. The attacker can craft a malicious payload, such as JavaScript code, and inject it through a vulnerable input field (e.g., during icon import or shortcode creation). Once stored, the payload executes when other users, including administrators, view the affected page in the WordPress admin area. No additional user interaction beyond viewing the page is required. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as authentication cookies. The attack is persistent (stored) and can affect multiple users, including administrators, potentially leading to full site compromise. [1]

Mitigation

The vulnerability is fixed in version 3.0 of the Manager for IcoMoon plugin. Users should update to version 3.0 or later immediately. The plugin's update page on WordPress.org provides the patched version. No workarounds are documented; updating is the recommended action. [1]