WordPress Plugin Vulnerabilities

Simple Light Weight Social Share <= 2.0 - Admin+ Stored XSS

Description

The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
only-tweet-like-share-and-google-1
No known fix

References

CVE
CVE-2023-37388
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/only-tweet-like-share-and-google-1/simple-light-weight-social-share-tweet-like-share-and-linkedin-20-authenticated-administrator-stored-cross-site-scripting

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Yuki Haruma
Verified
No
WPVDB ID
030934f8-464f-4543-b6c5-ff7ab4306ed7

Timeline

Publicly Published
2023-07-05 (about 2 years ago)
Added
2023-08-11 (about 2 years ago)
Last Updated
2023-08-11 (about 2 years ago)

Other

Published
Title
Published
2024-04-22
Title
Accessibility Widget < 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-03-06
Title
The Plus Addons for Elementor < 5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Header Meta Content Widget
Published
2024-04-22
Title
Widget Post Slider < 1.3.6 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2021-01-15
Title
FV Flowplayer Video Player < 7.4.38.727 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2025-07-09
Title
Lana Downloads Manager < 1.11.0 - Authenticated (Administrator+) Stored Cross-Site Scripting