CVE-2023-4842
published 2023-11-07CVE-2023-4842: The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to…
PriorityP423medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.57%
42.7th percentile
The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| warfareplugins | social_sharing_plugin_social_warfare | <= 4.4.3 | — |
| warfareplugins | social_warfare | <= 4.4.3 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Social Sharing Plugin up to 4.4.3 on WordPress Shortcode cross site scripting (ID 2982662)
vuldb·2026-04-11·CVSS 6.4
CVE-2023-4842 [MEDIUM] Social Sharing Plugin up to 4.4.3 on WordPress Shortcode cross site scripting (ID 2982662)
A vulnerability was found in Social Sharing Plugin up to 4.4.3 on WordPress. It has been classified as problematic. This vulnerability affects unknown code of the component Shortcode Handler. Performing a manipulation results in cross site scripting.
This vulnerability is cataloged as CVE-2023-4842. It is possible to initiate the attack remotely. There is no exploit available.
GHSA
GHSA-mfxr-7r69-92fv: The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in version
ghsa_unreviewed·2023-11-14
CVE-2023-4842 [MEDIUM] CWE-79 GHSA-mfxr-7r69-92fv: The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in version
The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
OSV
linux-oem-6.0 vulnerabilities
osv·2023-07-18·CVSS 5.5
CVE-2022-4842 linux-oem-6.0 vulnerabilities
linux-oem-6.0 vulnerabilities
It was discovered that the NTFS file system implementation in the Linux
kernel contained a null pointer dereference in some situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2022-4842)
Jordy Zomer and Alexandra Sandulescu discovered that the Linux kernel did
not properly implement speculative execution barriers in usercopy functions
in certain situations. A local attacker could use this to expose sensitive
information (kernel memory). (CVE-2023-0459)
Seth Jenkins discovered that the Linux kernel did not properly perform
address randomization for a per-cpu memory management structure. A local
attacker could use this to expose sensitive information (kernel memory)
or in conjunction with another kernel vulnerability.
OSV
linux-oem-5.17 vulnerabilities
osv·2023-07-06·CVSS 5.5
CVE-2023-35788 linux-oem-5.17 vulnerabilities
linux-oem-5.17 vulnerabilities
Hangyu Hua discovered that the Flower classifier implementation in the
Linux kernel contained an out-of-bounds write vulnerability. An attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2023-35788, LP: #2023577)
It was discovered that the NTFS file system implementation in the Linux
kernel contained a null pointer dereference in some situations. A local
attacker could use this to cause a denial of service (system crash).
(CVE-2022-4842)
Seth Jenkins discovered that the Linux kernel did not properly perform
address randomization for a per-cpu memory management structure. A local
attacker could use this to expose sensitive information (kernel memory)
or in conjunction with another kernel vulnerability
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.1/lib/buttons-panel/SWP_Buttons_Panel_Trait.php#L304https://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.1/lib/buttons-panel/SWP_Buttons_Panel_Trait.php#L877https://plugins.trac.wordpress.org/changeset/2982662/social-warfare#file0https://www.wordfence.com/threat-intel/vulnerabilities/id/8f5b9aff-0833-4887-ae59-df5bc88c7f91?source=cvehttps://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.1/lib/buttons-panel/SWP_Buttons_Panel_Trait.php#L304https://plugins.trac.wordpress.org/browser/social-warfare/tags/4.4.1/lib/buttons-panel/SWP_Buttons_Panel_Trait.php#L877https://plugins.trac.wordpress.org/changeset/2982662/social-warfare#file0https://www.wordfence.com/threat-intel/vulnerabilities/id/8f5b9aff-0833-4887-ae59-df5bc88c7f91?source=cve
2023-11-07
Published