CVE-2022-30545 - Exploiting Authenticated Reflected XSS in 5 Anker Connect WordPress Plugin (≤ 1.2.6)

---

Vulnerabilities within WordPress plugins can open the doors for attack, even for sites that seem secure at first glance. One case in point is CVE-2022-30545—an *authenticated reflected Cross-Site Scripting (XSS)* vulnerability in the "5 Anker Connect" plugin, up to and including version 1.2.6. Let’s break down what this means, see how this hack works, and what you should do to stay safe.

What is 5 Anker Connect?

"5 Anker Connect" is a WordPress plugin designed to help users add social media icons to their sites easily. While it’s helpful, a security flaw in older versions can let bad actors run code in your browser.

Put Simply

A logged-in user (with minimum Editor role, possibly less) can exploit this bug to make WordPress reflect (echo back) dangerous JavaScript they provide in a plugin admin page. If an admin clicks a special link crafted by an attacker, their browser may execute unwanted code—stealing cookies, hijacking their account, or worse.

How Does the Exploit Work?

The problem lies in how user input isn’t sanitized or escaped when the plugin builds certain admin page URLs. For example, a user can manipulate the tab query parameter in the admin panel. The plugin simply inserts this value into the page, unfiltered.

Example Vulnerable URL

/wp-admin/admin.php?page=five-anker-connect&tab=<script>alert('XSS')</script>

When this URL is loaded by a user with sufficient privileges, the <script> tag is run, showing a popup or executing whatever JavaScript is inside.

A simplified sample that shows the lack of escaping

// File: five-anker-connect/admin/fac-admin.php

if (isset($_GET['tab'])) {
    $active_tab = $_GET['tab'];
} else {
    $active_tab = 'default';
}

// ... later echoed directly in the HTML
echo '<div id="' . $active_tab . '">';

Notice: The $active_tab variable is set directly from user input, never sanitized, and then inserted into the HTML page. That’s what opens the door for XSS.

Attackers create a malicious URL like the one above.

- They lure an admin or privileged user to click the link (perhaps through email or social engineering).

Try this proof-of-concept (for learning only!)

/wp-admin/admin.php?page=five-anker-connect&tab=%3Cscript%3Ealert(document.cookie)%3C/script%3E

If the admin is logged in and clicks this, they will see an alert showing their session cookie—a basic demo, but the attack can be much more serious.

References:

- WPScan Entry  
   - NVD Details  
   - Plugin Listing

Update the Plugin:

Go to your WordPress dashboard and update "5 Anker Connect" to the *latest* version. Vulnerabilities like this are exactly why updates matter.

`php

// Safe way to use user input in HTML attributes

Principle of Least Privilege:

Only give trusted users high-level access. The fewer people with admin/editor rights, the safer your site.

Final Thoughts

The CVE-2022-30545 vulnerability in 5 Anker Connect shows that even simple plugins can harbor dangerous flaws. The fix is simple—upgrade as soon as possible and be vigilant about plugin security. Remember, an outdated plugin is an open window for attackers!

If you run 5 Anker Connect, update right away, and advise your team never to click unexpected admin links.


*This post is original content based on public vulnerability disclosures.*

Timeline

Published on: 11/08/2022 19:15:00 UTC
Last modified on: 11/09/2022 13:58:00 UTC