WordPress Plugin Vulnerability Report – Shareaholic – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4889

Plugin Name: Shareaholic

Key Information:

  • Software Type: Plugin
  • Software Slug: shareaholic
  • Software Status: Active
  • Software Author: shareaholic
  • Software Downloads: 4,734,248
  • Active Installs: 30,000
  • Last Updated: November 14, 2023
  • Patched Versions: 9.7.9
  • Affected Versions: <= 9.7.8

Vulnerability Details:

  • Name: Shareaholic <= 9.7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2023-4889
  • CVSS Score: 6.4 (Medium)
  • Publicly Published: November 14, 2023
  • Researcher: István Márton
  • Description: The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Shareaholic plugin for WordPress has a vulnerability in versions up to and including 9.7.8 that allows authenticated users with contributor level access or higher to inject arbitrary JavaScript payloads into pages and posts. This vulnerability has been patched in version 9.7.9.

Detailed Overview:

The vulnerability, tracked as CVE-2023-4889, exists in the Shareaholic plugin due to insufficient sanitization of user input when using the 'shareaholic' shortcode. By providing malformed attributes, an attacker can store cross-site scripting payloads that will execute when a victim views a compromised page or post. This could be used for a variety of malicious purposes, including stealing session cookies or credentials. The vulnerability was privately disclosed by researcher István Márton and has been given a CVSS severity score of 6.4 out of 10. Users are strongly advised to update to Shareaholic version 9.7.9 or later as soon as possible to mitigate this vulnerability. Failing to patch this vulnerability potentially leaves over 30,000 active WordPress sites open to stored XSS attacks.

Advice for Users:

  1. Immediate Action: Update to Shareaholic version 9.7.9 or newer as soon as possible.
  2. Check for Signs of Vulnerability: Review your site's posts and pages for unexpected JavaScript or iframes added by unauthorized users. Also check for unexpected admin users added.
  3. Alternate Plugins: Consider using alternate social sharing plugins like AddThis or Simple Share Buttons Adder as a precaution.
  4. Stay Updated: Always keep your WordPress plugins updated to avoid potential vulnerabilities.

Conclusion:

Shareaholic's prompt release of version 9.7.9 to address this vulnerability is a positive sign. WordPress site owners should nevertheless treat this vulnerability with priority and update immediately. The ease of exploiting this for malicious purposes means sites could be compromised without showing obvious outward signs.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shareaholic

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/shareaholic/shareaholic-978-authenticated-contributor-stored-cross-site-scripting-via-shortcode

Detailed Report:

Keeping your WordPress website and its plugins up-to-date is one of the most important things you can do to maintain security. Unfortunately, a dangerous vulnerability was recently disclosed in popular social sharing plugin Shareaholic that affects over 30,000 active sites. This vulnerability, tracked as CVE-2023-4889, makes it possible for attackers to inject malicious JavaScript payloads into pages and posts. If exploited, this could lead to compromised user accounts, stolen data, defaced sites, and a host of other problems. The good news is that Shareaholic has already issued a patch in version 9.7.9. In this post, we'll break down exactly what this vulnerability is, what versions are affected, how to update, and what you can do if you suspect your site has been compromised. We want to empower WordPress site owners to take control of their security. If you have any concerns about this vulnerability or need help updating, don't hesitate to reach out.

Shareaholic is a popular social sharing plugin installed on over 30,000 active WordPress sites. It allows site owners to easily add share buttons for various social networks. However, a serious vulnerability has been disclosed in Shareaholic versions up to and including 9.7.8. This vulnerability, tracked as CVE-2023-4889, allows authenticated users with contributor access or higher to inject arbitrary JavaScript payloads into pages and posts.

Specifically, the vulnerability exists because Shareaholic fails to properly sanitize user input when using its shortcode functionality. By providing malformed attributes, an attacker can store cross-site scripting payloads that will execute when a page or post is viewed by a victim.

This could empower bad actors to do things like steal session cookies, hijack user accounts, scrape sensitive data, deface sites, and more. The ease of exploiting such a vulnerability means that compromised sites may not even show obvious signs of an attack.

The good news is that Shareaholic has already issued a patch by releasing version 9.7.9. All WordPress site owners using Shareaholic should update to this latest version as soon as possible. You can do this easily from the WordPress admin dashboard by navigating to Plugins > Installed Plugins and clicking "Update" next to Shareaholic.

If you suspect your site may have already been compromised, be sure to check for any unauthorized users added, changes to existing posts/pages, or unexpected files uploaded. Also have a developer review your site for any malicious code injections.

This is not the first vulnerability found in Shareaholic. In fact, two other security issues have been reported since April 2015. This underscores the importance of staying vigilant and keeping all your plugins updated, not just Shareaholic.

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WordPress Plugin Vulnerability Report – Shareaholic – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode – CVE-2023-4889 FAQs

Leave a Comment