Question 1

What is Sassy Social Share and why should I care about vulnerabilities?

Accepted Answer

What is Sassy Social Share and why should I care about vulnerabilities?

Sassy Social Share is a widely-used plugin to add social sharing buttons to WordPress sites. Over 5 million sites use it, so vulnerabilities put many at risk. A flaw means hackers may be able to modify sites running outdated versions.

Question 2

What does a stored cross-site scripting vulnerability let attackers do?

Accepted Answer

What does a stored cross-site scripting vulnerability let attackers do?

Stored cross-site scripting flaws enable hackers to inject malicious browser-executable scripts into pages and posts. When visitors go to compromised pages, these scripts activate without consent to carry out attacks. These include stealing user sessions, scraping data, and defacing sites with unwanted content.

Question 3

How serious is this vulnerability? Should I worry?

Accepted Answer

How serious is this vulnerability? Should I worry?

This medium severity vulnerability has a real-world impact. While mitigated by needing contributor access to exploit initially, attackers often find ways to escalate privileges. And malicious scripts can affect all site visitors once injected, spreading impact widely especially given Sassy Social Share's popularity.

Question 4

Why wasn’t this caught during development? Are all plugins this risky?

Accepted Answer

Why wasn’t this caught during development? Are all plugins this risky?

Catching every possible vulnerability during initial coding is extremely difficult, especially in complex software. While the developer response shows their concern for security, new issues emerge frequently even in mature software. However, using reputable maintained plugins reduces, even if it cannot eliminate, potential holes. Staying updated remains key.

Question 5

How do I know what Sassy Social Share version I have installed right now?

Accepted Answer

How do I know what Sassy Social Share version I have installed right now?

Log into your WordPress dashboard, go to Plugins > Installed Plugins, and check the version listed next to Sassy Social Share. Compare it to the tables on this page that show fixed and vulnerable releases, or the Wordfence vulnerability report linked at the end which lists all affected versions clearly.

Question 6

Should I just deactivate or delete the plugin rather than update?

Accepted Answer

Should I just deactivate or delete the plugin rather than update?

You can disable the plugin or remove it entirely if you wish, but upgrading to the latest patched version is recommended if you want to keep its functionality. Always backed up first before making major changes though.

Question 7

What could happen if I do nothing and keep running old Sassy Social Share?

Accepted Answer

What could happen if I do nothing and keep running old Sassy Social Share?

Leaving vulnerable versions active risks attackers discovering the site, injecting malicious scripts in pages/posts, and carrying out attacks impacting you or visitors. The vulnerability will not somehow "go away" on its own, so patching by updating is strongly advised, even if you have seen no issues yet.

Question 8

How do I update Sassy Social Share or any WordPress plugin?

Accepted Answer

How do I update Sassy Social Share or any WordPress plugin?

In your WP dashboard, go to Plugins > Installed Plugins, find the plugin name, and if the current version is fixed, click “Update Now”. Enable auto-updates for set and forget patching. Consider security notification services too to stay on top of emerging issues.

Question 9

Are other social sharing plugins safe alternatives?

Accepted Answer

Are other social sharing plugins safe alternatives?

Other popular sharing plugins may also have vulnerabilities - it is hard for any plugin developer to achieve perfect, long-term security. However, options like AddThis and Shareaholic are credible alternatives with large user bases and ongoing support. As always, maintaining updates remains key regardless of your choice.

Question 10

Where can I learn more about locking down my WordPress site?

Accepted Answer

Where can I learn more about locking down my WordPress site?

WordPress security can be complex, but is a critical topic for any site owner to master. See the linked Wordfence guide on locking down WordPress for an excellent starting point. Ongoing education, not just software updates, is key to managing threats over time as the landscape evolves.

Beaver Builder Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-0897 | WordPress Plugin Vulnerability Report

3D FlipBook Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks – CVE-2024-1081 | WordPress Plugin Vulnerability Report

Schema & Structured Data for WP & AMP Vulnerability – Missing Authorization to reCaptcha Key Modification & Authenticated (Custom) Stored Cross-Site Scripting – CVE-2024-1288 & CVE-2024-1586 | WordPress Plugin Vulnerability Report

Featured Image from URL Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via fifu_input_url – CVE-2024-1496 | WordPress Plugin Vulnerability Report

Password Protected Vulnerability – Authenticated (Admin+) Stored Cross-Site Scripting – CVE-2024-0656 | WordPress Plugin Vulnerability Report

Shortcodes Ultimate Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via su_tooltip Shortcode – CVE-2024-1510 | WordPress Plugin Vulnerability Report

Ocean Extra Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1277 | WordPress Plugin Vulnerability Report

Page scroll to id – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2024-1445 |WordPress Plugin Vulnerability Report

WP Maintenance Vulnerability – Information Exposure – CVE-2024-1472 | WordPress Plugin Vulnerability Report

Recent Blog Posts

LearnPress Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter – CVE-2024-4971 | WordPress Plugin Vulnerability Report

Media Library Assistant Vulnerability – Authenticated (Contributor+) SQL Injection via Shortcode & Reflected Cross-Site Scripting via lang – CVE-2024-3518 & CVE-2024-3519 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy