WordPress Plugin Vulnerabilities

Simple Share Buttons Adder < 8.4.12 - Authenticated(Administrator+) Stored Cross-Site Scripting via CSS Settings

Description

The Simple Share Buttons Adder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
simple-share-buttons-adder
Fixed in 8.4.12

References

CVE
CVE-2024-0621
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/93ab9f1a-26ce-466a-a5d3-d2046ec8f94d

Classification

Type
CROSS FRAME SCRIPTING
OWASP top 10
A1: Injection
CWE
CWE-80
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Akbar Kustirama
Verified
No
WPVDB ID
09714361-b910-4724-8468-4e6fdfc616cc

Timeline

Publicly Published
2024-02-14 (about 2 years ago)
Added
2024-02-14 (about 2 years ago)
Last Updated
2024-02-14 (about 2 years ago)

Other

Published
Title
Published
2024-01-12
Title
Advanced Woo Search < 2.97 - Reflected Cross-Site Scripting
Published
2024-04-18
Title
Jotform Online Forms < 1.3.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-09-16
Title
Memberlite Shortcodes < 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-04-11
Title
WPBakery Visual Composer < 7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author
Published
2024-04-30
Title
Cost Calculator Builder Pro < 3.1.68 - Unauthenticated Cross-Site Scripting via SVG Upload