Today’s post is part two of a two part blog post. It describes a cross site scripting vulnerability in the Easy Social Icons plugin that exploits the
PHP_SELF variable. In yesterday’s post, we described another plugin, underConstruction, suffering from a similar vulnerability related to the use of
On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.
After 2 weeks without a response, we forwarded the issue to the WordPress plugins team on August 30, 2021. An initial patch, version 3.0.9, was released the next day, on August 31, 2021.
A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.
Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.
Reflected Cross-Site Scripting
Easy Social Icons
CVE ID: CVE-2021-39322
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version:
$_SERVER['PHP_SELF'] variable. This differs slightly from yesterday’s vulnerability, which used
function show_confirm(title, id)
var rpath1 = "";
var rpath2 = "";
var r=confirm('Are you confirm to delete "'+title+'"');
rpath1 = '<?php echo $_SERVER['PHP_SELF'].'?page=cnss_social_icon_page'; ?>';
rpath2 = '&cnss-delete=y&id='+id;
window.location = rpath1+rpath2;
The primary difference between
$_SERVER is that
$_SERVER is a built-in PHP “superglobal” variable that holds values provided by the webserver (such as Apache or Nginx) while
$GLOBALS is a built-in PHP variable that holds the contents of all of PHP’s “superglobal” variables, including
$_POST, as well as the contents of
As with yesterday’s vulnerability, sites running Apache and modPHP store additional path information after the filename in
While sites running on Apache+modPHP, which is an extremely common configuration, are most likely to be vulnerable, other configurations may be vulnerable as well depending on how they have been set up.
August 16, 2021 – Wordfence Threat Intelligence finds the vulnerability and attempts to contact the plugin developer. We release a firewall rule to protect Wordfence Premium users.
August 30, 2021 – After 2 weeks without a response we contact the WordPress plugins team.
August 31, 2021– A patched version of the plugin is made available.
September 15, 2021 – Sites running the free version of Wordfence receive the firewall rule.
Wordfence Premium users have been protected against this vulnerability since August 16, 2021. Sites still running the free version of Wordfence received the same protection on September 15, 2021. We strongly recommend updating to the latest version available, 3.1.3, as soon as possible, as it also contains additional fixes, though the Wordfence Firewall blocks exploitation of these additional vulnerabilities via its built-in XSS protection.
If you believe your site has been compromised as a result of this or any other attack, Wordfence offers professional Site Cleaning services. Our Security Analysts remove any malware found, and also determine the intrusion vector if possible, as well as providing recommendations to prevent future infections.
If anyone you know is using the Easy Social Icons plugin, please forward this article to them and encourage them to update. If you’d like to be alerted when we publish new threat research, you can join our mailing list on this page.