Stored Cross-Site Scripting Flaw in Sticky Social Icons Plugin for WordPress
CVE-2024-10551

Currently unrated

Key Information:

Vendor: Wordpress
Status: Sticky Social Icons
Vendor: CVE Published:; 6 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

CVE-2024-10551 is a stored cross-site scripting vulnerability found in the Sticky Social Icons plugin for WordPress, specifically versions up to 1.2.1. This security flaw arises from the plugin's failure to properly sanitize and escape certain settings. As a result, even restricted users (e.g., those without unfiltered HTML capabilities) such as administrators can exploit this vulnerability to inject malicious scripts. This poses significant risks, especially within multisite WordPress installations, where an attacker can spread harmful scripts to multiple sites. It is crucial for users and administrators to update the plugin promptly and implement security best practices to prevent potential exploitations.

Affected Version(s)

Sticky Social Icons 0 <= 1.2.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10551 - Proof of Concept

References

https://wpscan.com/vulnerability/cd1aea4a-e5a6-4f87-805d-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Dec 6, 2024
👾
Exploit known to exist
Dec 6, 2024
Vulnerability published
Dec 6, 2024
Vulnerability Reserved
Oct 30, 2024

Credit

Krugov Aryom

WPScan