Stored Cross-Site Scripting in Sticky Side Buttons WordPress Plugin
CVE-2023-3666

3.3LOW

Key Information:

Vendor: WordPress
Status: Sticky Side Buttons
Vendor: CVE Published:; 3 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-3666?

The Sticky Side Buttons WordPress plugin prior to version 2.0.0 is vulnerable to Stored Cross-Site Scripting due to inadequate sanitization and escaping of its settings. This flaw permits high privilege users, such as administrators, to execute XSS attacks, even if the unfiltered_html capability is not granted, particularly in multisite environments. Such vulnerabilities can severely compromise the integrity and security of web applications.

Affected Version(s)

Sticky Side Buttons 0 < 2.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-3666 - Proof of Concept

References

https://wpscan.com/vulnerability/c37f1708-c154-41dc-9079-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 3, 2025
👾
Exploit known to exist
Sep 3, 2025
Vulnerability published
Sep 3, 2025
Vulnerability Reserved
Jul 13, 2023

Credit

Sayandeep Dutta

WPScan

JSON