Stored Cross-Site Scripting in Social Warfare Plugin for WordPress
CVE-2024-1959

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Social Sharing Plugin – Social Warfare
Vendor: CVE Published:; 2 May 2024

Summary

The Social Warfare plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through the 'socialWarfare' shortcode due to inadequate input sanitization and output escaping of user-supplied attributes. This flaw allows authenticated attackers with contributor-level permissions or higher to inject malicious scripts into pages, leading to potential execution whenever users access those compromised pages. It is vital for website administrators using the affected versions to implement immediate security measures to mitigate this threat.

Affected Version(s)

Social Sharing Plugin – Social Warfare * <= 4.4.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/social-warfare...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Feb 27, 2024

Credit

Krzysztof Zając