WordPress Plugin Vulnerabilities

Simple Social Media Share Buttons < 3.2.4 - Authenticated Stored Cross-Site Scripting

Description

The plugin does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Proof of Concept

Put the following payload <svg onload=alert(/XSS/)> in the Share Title settings of the plugin (with at least one Social Buttons Designs enabled)

The XSS will be triggered depending on the Post type Settings selected (like just homepage, posts, pages etc)

Affects Plugins

Plugin icon
simple-social-buttons
Fixed in 3.2.4

References

CVE
CVE-2021-24656
URL
https://www.hackpertise.com/cve/17-cve-2021-24656/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.8 (medium)

Miscellaneous

Original Researcher
Asif Nawaz Minhas
Submitter
Asif Nawaz Minhas
Verified
Yes
WPVDB ID
8e897dcc-6e52-440b-83ad-b119c55751c7

Timeline

Publicly Published
2021-09-13 (about 2 years ago)
Added
2021-09-13 (about 2 years ago)
Last Updated
2023-04-12 (about 7 months ago)

Other

Published
Title
Published
2022-05-30
Title
WP Zillow Review Slider < 2.4 - Admin+ Stored Cross-Site Scripting
Published
2023-10-02
Title
Onclick Show Popup < 6.6 - Admin+ Stored XSS
Published
2016-09-02
Title
Recipes Writer <= 1.0.4 - XSS
Published
2022-12-07
Title
WP Calendar <= 1.5.3 - Contributor+ Stored XSS
Published
2020-02-27
Title
Async Javascript < 2.20.02.27 - Subscriber+ Stored XSS via Plugin Settings Change