Sassy Social Share Vulnerability – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2024-4924 | WordPress Plugin Vulnerability Report
Plugin Name: Sassy Social Share
Key Information:
- Software Type: Plugin
- Software Slug: sassy-social-share
- Software Status: Active
- Software Author: heateor
- Software Downloads: 5,485,608
- Active Installs: 100,000
- Last Updated: May 22, 2024
- Patched Versions: 3.3.63
- Affected Versions: <= 3.3.62
Vulnerability Details:
- Name: Sassy Social Share <= 3.3.62 - Authenticated (Administrator+) Stored Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2024-4924
- CVSS Score: 4.4 (Medium)
- Publicly Published: May 22, 2024
- Researcher: Dmitrii Ignatyev
- Description: The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.62 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Summary:
The Sassy Social Share plugin for WordPress has a vulnerability in versions up to and including 3.3.62 that allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, due to insufficient input sanitization and output escaping. This vulnerability has been patched in version 3.3.63.
Detailed Overview:
Dmitrii Ignatyev discovered a Stored Cross-Site Scripting (XSS) vulnerability in the Sassy Social Share plugin for WordPress. The vulnerability exists in the plugin's admin settings due to insufficient input sanitization and output escaping. This vulnerability could allow authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability only affects multi-site installations and installations where unfiltered_html has been disabled. The vulnerability has been patched in version 3.3.63.
Advice for Users:
- Immediate Action: Update the Sassy Social Share plugin to version 3.3.63 or later.
- Check for Signs of Vulnerability: Review your site's pages and posts for any suspicious or unexpected scripts or content.
- Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
- Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.
The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.3.63 or later to secure their WordPress installations.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sassy-social-share
Detailed Report:
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.