Sticky Side Buttons < 2.0.0 – Admin+ Stored XSS | CVE 2023-3666 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Proof of Concept

1. Go to Sticky Side Buttons in admin panel.
2. Click add buttons and add <script>alert(1)</script> in the Button Text area.
3. Save it and refresh the page.
4. The XSS will load showing a alert(1) pop up.

Affects Plugins

sticky-side-buttons

Fixed in 2.0.0

References

CVE

YouTube Video

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Sayandeep Dutta

Submitter

Sayandeep Dutta

Submitter website

https://www.linkedin.com/in/samdutta07

Verified

Yes

WPVDB ID

c37f1708-c154-41dc-9079-3230827eed1b

Timeline

Publicly Published

2025-08-13 (about 4 months ago)

Added

2025-08-13 (about 4 months ago)

Last Updated

2025-08-13 (about 4 months ago)

Other

Published

Title

Published

2025-07-07

Title

ListingEasy <= 1.9.2 - Reflected Cross-Site Scripting

Published

2023-09-01

Title

Smarty for WordPress <= 3.1.35 - Admin+ Stored XSS

Published

2025-07-01

Title

WP Front-end login and register <= 2.1.0 - Reflected Cross-Site Scripting

Published

2023-12-13

Title

WP Crowdfunding < 2.1.9 - Reflected XSS

Published

2022-06-02

Title

Ultimate WooCommerce CSV Importer <= 2.0 - Reflected Cross-Site Scripting