[Security] Fixed Cross-Site Scripting vulnerability exploit in the shortcodes in Sassy Social Share < 3.3.45 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Original 3rd-party’s report on the vulnerability: Please note that questions related to this article should be directed to the 3rd-party researcher and not WP Engine: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4451

Updated plugin details here 3.3.45 [20 DECEMBER 2022] – https://wordpress.org/plugins/sassy-social-share/#developers

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *