WordPress Plugin Vulnerabilities

NextScripts: Social Networks Auto-Poster < 4.3.21 - Reflected Cross-Site Scripting

Description

The plugin does not escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

Affects Plugins

Plugin icon
social-networks-auto-poster-facebook-twitter-g
Fixed in 4.3.21

References

CVE
CVE-2021-38356
URL
https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-social-networks-auto-poster-plugin-impacts-100000-sites/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ramuel Gall
Verified
Yes
WPVDB ID
db5ffe41-1aef-42fd-83ba-dfea97e3f45a

Timeline

Publicly Published
2021-10-29 (about 4 years ago)
Added
2021-10-29 (about 4 years ago)
Last Updated
2022-04-08 (about 4 years ago)

Other

Published
Title
Published
2024-11-27
Title
Icegram Engage < 3.1.32 - Admin+ Stored XSS
Published
2024-08-29
Title
MemberPress < 1.11.30 - Reflected Cross-Site Scripting via mepr_screenname and mepr_key Parameters
Published
2025-12-04
Title
Nouri.sh Newsletter <= 1.0.1.3 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Published
2016-04-17
Title
FAQ WD < 1.0.17 - Cross-Site Scripting (XSS)
Published
2016-07-13
Title
All in One SEO Pack <= 2.3.7 - Unauthenticated Stored Cross-Site Scripting (XSS)