The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4451
https://wpscan.com/vulnerability/a28f52a4-fd57-4f46-8983-f34c71ec88d5
Updated plugin details here 3.3.45 [20 DECEMBER 2022] – https://wordpress.org/plugins/sassy-social-share/#developers
