Cross-site scripting (XSS) vulnerability in feedlist/handler_image.php in the FeedList plugin 2.61.01 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.
WordPress websites using the vulnerable FeedList plugin are susceptible to Cross-Site Scripting (XSS) attacks. Attackers can inject malicious scripts into the website, potentially leading to account compromise, data theft, or website defacement. This vulnerability requires immediate patching to mitigate the risk.
Step 1: Payload Delivery: The attacker crafts a malicious URL containing JavaScript code within the i parameter of a request to feedlist/handler_image.php. For example: http://vulnerable-site.com/wp-content/plugins/feedlist/feedlist/handler_image.php?i=<script>alert('XSS')</script>.
Step 2: Request Processing: The WordPress server receives the crafted HTTP request.
Step 3: Parameter Extraction: The handler_image.php script extracts the value of the i parameter.
Step 4: Insufficient Sanitization: The script fails to properly sanitize or encode the value of the i parameter.
Step 5: Output Rendering: The script renders the unsanitized value of the i parameter within the HTML response, typically within an <img> tag or other context where the injected JavaScript can execute.
Step 6: JavaScript Execution: The user's browser parses the HTML response and executes the injected JavaScript code, leading to XSS.
The vulnerability stems from insufficient input validation in the feedlist/handler_image.php file within the FeedList plugin. Specifically, the i parameter, which is intended to specify an image, is not properly sanitized before being displayed on the webpage. This allows attackers to inject arbitrary HTML or JavaScript code. The root cause is a lack of input validation and output encoding (e.g., HTML escaping) of the i parameter's value before it's rendered in the browser. The plugin fails to prevent malicious code from being interpreted by the user's browser, leading to XSS.