WordPress Plugin Vulnerabilities

Social Sharing Plugin - Social Warfare < 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
social-warfare
Fixed in 4.4.4

References

CVE
CVE-2023-4842
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8f5b9aff-0833-4887-ae59-df5bc88c7f91

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
ab221b58-369e-4010-ae36-be099b2f4c9b

Timeline

Publicly Published
2023-11-06 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2024-11-08
Title
Rig Elements For Elementor <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-30
Title
DethemeKit For Elementor < 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-06-19
Title
URL Shortify < 1.7.0 - Admin+ Cross Site Scripting
Published
2022-05-26
Title
Post Grid, Slider & Carousel Ultimate < 1.5.0 - Admin+ Stored XSS
Published
2024-10-24
Title
Image Map Pro < 6.0.21 - Authenticated (Contributor+) Stored Cross-Site Scripting