Slick Social Share Buttons <= 2.4.11 – Authenticated (Subscriber+) Arbitrary Option Update | CVE 2023-6878 | Plugin Vulnerabilities

Description

The Slick Social Share Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dcssb_ajax_update' function in versions up to, and including, 2.4.11. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily.

Affects Plugins

slick-social-share-buttons

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/79a5c01d-3867-4b1e-b0ba-9a802f0bed92

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

44336a93-fe32-43b9-9131-3851418851f3

Timeline

Publicly Published

2023-12-15 (about 2 years ago)

Added

2023-12-19 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2026-01-15

Title

Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit < 5.1.6 - Missing Authorization to Unauthenticated Rede Order Logs Deletion

Published

2024-10-14

Title

Adding drop down roles in registration <= 1.1 - Unauthenticated Privilege Escalation

Published

2025-01-30

Title

Single-user-chat <= 0.5 - Authenticated (Subscriber+) Limited Options Update

Published

2025-02-03

Title

Real Estate Manager – Property Listing and Agent Management <= 7.3 - CAPTCHA Bypass

Published

2017-11-29

Title

WordPress 3.7-4.9 - 'newbloguser' Key Weak Hashing