Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-24746 — Cross-site Scripting in Sassy Social Share

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

2.3%

top 15.38%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Heateor Sassy Social Share

Timeline

PublishedMar 28

Latest updateMar 29

Description

The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDheateor/sassy_social_share< 3.3.40

🔴Vulnerability Details

GHSA

GHSA-rqh2-pcw6-q628: The Social Sharing Plugin WordPress plugin before 3↗2022-03-29

▶

CVEList

Sassy Social Share < 3.3.40 - Reflected Cross-Site Scripting↗2022-03-28

▶

💥Exploits & PoCs

Nuclei

WordPress Sassy Social Share Plugin <3.3.40 - Cross-Site Scripting

▶