WordPress Plugin Vulnerabilities

Social Sharing Plugin – Sassy Social Share < 3.3.76 - Reflected Cross-Site Scripting via 'heateor_mastodon_share' Parameter

Description

The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.

Affects Plugins

Plugin icon
sassy-social-share
Fixed in 3.3.76

References

CVE
CVE-2025-5528
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/99e922ec-d40a-47e7-a10f-d966a351d182

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Naveen H N
Verified
No
WPVDB ID
9051ceba-e70f-4d7e-a9ff-fd4a007dbea5

Timeline

Publicly Published
2025-06-06 (about 11 months ago)
Added
2025-06-06 (about 11 months ago)
Last Updated
2025-06-07 (about 11 months ago)

Other

Published
Title
Published
2021-04-23
Title
Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)
Published
2024-07-09
Title
Send email only on Reply to My Comment <= 1.0.6 - Reflected XSS
Published
2024-12-11
Title
Connect Contact Form 7 to Constant Contact < 1.5 - Reflected Cross-Site Scripting
Published
2024-06-22
Title
SVG Block < 1.1.20 - Author+ Stored XSS via SVG File Upload
Published
2025-03-21
Title
UTM tags tracking for Contact Form 7 <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting