Social Media Widget by Acurax [CSRF]


Plugin implements AJAX action acx_asmw_saveorder which calls back the function acx_asmw_saveorder_callback. The later does not implement any
anti-CSRF controls thus allowing a malicious actor to perform an attack that could update plugin specific option social_widget_icon_array_order.

Vulnerable param is $_POST['recordsArray'] and it is saved as an option with the name social_widget_icon_array_order.

Leveraging a CSRF could lead to a Persistent XSS (see PoC). Payload will be served when a user with the right privileges visits plugin’s settings page (wp-admin/admin.php?page=Acurax-Social-Widget-Settings).

Vulnerable code is located in file acurax-social-media-widget/function.php line 993:


In this PoC we leverage the CSRF vulnerabilityt o perform a Persistent XSS attack. The payload is available in plugin’s settings.