Vulnerabilites related to Unknown - Social Sharing Plugin
CVE-2024-2159 (GCVE-0-2024-2159)
Vulnerability from cvelistv5
Published
2024-04-26 05:00
Modified
2024-10-30 13:50
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
References
▼ | URL | Tags |
---|---|---|
https://wpscan.com/vulnerability/d7fa9849-c82a-4efd-84b6-9245053975ba/ | exploit, vdb-entry, technical-description |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Unknown | Social Sharing Plugin |
Version: 0 ≤ |
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:wpsocialrocket:social_sharing_plugin:-:*:*:*:*:wordpress:*:*" ], "defaultStatus": "unknown", "product": "social_sharing_plugin", "vendor": "wpsocialrocket", "versions": [ { "lessThan": "3.3.61", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-2159", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-30T13:48:12.273170Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-30T13:50:02.420Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T19:03:39.309Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "exploit", "vdb-entry", "technical-description", "x_transferred" ], "url": "https://wpscan.com/vulnerability/d7fa9849-c82a-4efd-84b6-9245053975ba/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Social Sharing Plugin ", "vendor": "Unknown", "versions": [ { "lessThan": "3.3.61", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Dmitrii Ignatyev" }, { "lang": "en", "type": "coordinator", "value": "WPScan" } ], "descriptions": [ { "lang": "en", "value": "The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks" } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-04-26T05:00:02.306Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan" }, "references": [ { "tags": [ "exploit", "vdb-entry", "technical-description" ], "url": "https://wpscan.com/vulnerability/d7fa9849-c82a-4efd-84b6-9245053975ba/" } ], "source": { "discovery": "EXTERNAL" }, "title": "Sassy Social Share \u003c 3.3.61 - Contributor+ Stored XSS", "x_generator": { "engine": "WPScan CVE Generator" } } }, "cveMetadata": { "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2024-2159", "datePublished": "2024-04-26T05:00:02.306Z", "dateReserved": "2024-03-04T11:05:58.828Z", "dateUpdated": "2024-10-30T13:50:02.420Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-4924 (GCVE-0-2024-4924)
Vulnerability from cvelistv5
Published
2024-06-12 06:00
Modified
2024-10-28 20:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Social Sharing Plugin WordPress plugin before 3.3.63 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
References
▼ | URL | Tags |
---|---|---|
https://wpscan.com/vulnerability/1867505f-d112-4919-9fd5-01745aa0433e/ | exploit, vdb-entry, technical-description |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Unknown | Social Sharing Plugin |
Version: 0 ≤ |
{ "containers": { "adp": [ { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2024-4924", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-06-12T12:21:01.534230Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-28T20:16:31.603Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-01T20:55:10.336Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "exploit", "vdb-entry", "technical-description", "x_transferred" ], "url": "https://wpscan.com/vulnerability/1867505f-d112-4919-9fd5-01745aa0433e/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Social Sharing Plugin ", "vendor": "Unknown", "versions": [ { "lessThan": "3.3.63", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Dmitrii Ignatyev" }, { "lang": "en", "type": "coordinator", "value": "WPScan" } ], "descriptions": [ { "lang": "en", "value": "The Social Sharing Plugin WordPress plugin before 3.3.63 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)" } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-06-12T06:00:02.287Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan" }, "references": [ { "tags": [ "exploit", "vdb-entry", "technical-description" ], "url": "https://wpscan.com/vulnerability/1867505f-d112-4919-9fd5-01745aa0433e/" } ], "source": { "discovery": "EXTERNAL" }, "title": "Sassy social share \u003c 3.3.63 Admin+ Stored Cross-Site scripting", "x_generator": { "engine": "WPScan CVE Generator" } } }, "cveMetadata": { "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2024-4924", "datePublished": "2024-06-12T06:00:02.287Z", "dateReserved": "2024-05-15T12:04:41.378Z", "dateUpdated": "2024-10-28T20:16:31.603Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2022-4451 (GCVE-0-2022-4451)
Vulnerability from cvelistv5
Published
2023-01-16 15:38
Modified
2025-04-04 17:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Social Sharing WordPress plugin before 3.3.45 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
References
▼ | URL | Tags |
---|---|---|
https://wpscan.com/vulnerability/a28f52a4-fd57-4f46-8983-f34c71ec88d5 | exploit, vdb-entry, technical-description |
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Unknown | Social Sharing Plugin |
Version: 0 < 3.3.45 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T01:41:44.692Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "exploit", "vdb-entry", "technical-description", "x_transferred" ], "url": "https://wpscan.com/vulnerability/a28f52a4-fd57-4f46-8983-f34c71ec88d5" } ], "title": "CVE Program Container" }, { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2022-4451", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-04T17:45:03.270588Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-04T17:45:41.897Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "product": "Social Sharing Plugin", "vendor": "Unknown", "versions": [ { "lessThan": "3.3.45", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Lana Codes" }, { "lang": "en", "type": "coordinator", "value": "WPScan" } ], "descriptions": [ { "lang": "en", "value": "The Social Sharing WordPress plugin before 3.3.45 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins." } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-79 Cross-Site Scripting (XSS)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-01-16T15:38:06.045Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan" }, "references": [ { "tags": [ "exploit", "vdb-entry", "technical-description" ], "url": "https://wpscan.com/vulnerability/a28f52a4-fd57-4f46-8983-f34c71ec88d5" } ], "source": { "discovery": "EXTERNAL" }, "title": "Sassy Social Share \u003c 3.3.45 - Contributor+ Stored XSS", "x_generator": { "engine": "WPScan CVE Generator" } } }, "cveMetadata": { "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-4451", "datePublished": "2023-01-16T15:38:06.045Z", "dateReserved": "2022-12-13T14:50:47.921Z", "dateUpdated": "2025-04-04T17:45:41.897Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }