Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-4971 — Cross-site Scripting in Social Sharing Plugin Sassy Social Share

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

10.1%

top 6.89%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Heateor Social Sharing Plugin Sassy Social Share Heateor Sassy Social Share

Timeline

PublishedOct 16

Description

The Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'urls' parameter called via the 'heateor_sss_sharing_count' AJAX action in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5heateor/social_sharing_plugin_sassy_social_share3.3.3

▶NVDheateor/sassy_social_share3.3.3

🔴Vulnerability Details

GHSA

GHSA-2pwc-9576-pf85: The Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'urls' parameter called via the 'heateor_sss_shari↗2024-10-16

▶

CVEList

Sassy Social Share <= 3.3.3 - Reflected Cross-Site Scripting↗2024-10-16

▶

VulnCheck

Sassy Social Share plugin for WordPress heateor_sss_sharing_count AJAX Action Vulnerability↗2022

▶

💥Exploits & PoCs

Nuclei

Sassy Social Share <= 3.3.3 - Cross-Site Scripting

▶