WordPress Plugin Vulnerabilities

Social Share Boost < 4.5 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
social-share-boost
Fixed in 4.5

References

CVE
CVE-2023-23688

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
fdc6674f-97ac-44a6-93ab-b7636d3e511f

Timeline

Publicly Published
2023-04-19 (about 2 years ago)
Added
2023-05-15 (about 2 years ago)
Last Updated
2023-08-18 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Proof Factor – Social Proof Notifications <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-04-26
Title
Smart Recent Posts Widget <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting
Published
2025-03-19
Title
Management-screen-droptiles <= 1.0 - Reflected Cross-Site Scripting
Published
2022-01-18
Title
Five Star Business Profile and Schema < 2.1.7 - Subscriber+ Page Creation & Settings Update to Stored XSS
Published
2023-12-29
Title
EventON-RSVP < 2.9.5 - Reflected XSS