CVE-2023-4889 in Shareaholic Plugininfo

Summary

by MITRE • 11/15/2023

The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The Shareaholic plugin for WordPress represents a significant security vulnerability through its susceptibility to stored cross-site scripting attacks, specifically impacting versions up to and including 9.7.8. This vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating a persistent threat vector that can be exploited by authenticated attackers possessing contributor-level permissions or higher. The flaw exists within the shareaholic shortcode functionality where user-supplied attributes are not properly validated or escaped before being rendered in web pages, allowing malicious scripts to be stored and executed against unsuspecting users.

The technical nature of this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws resulting from insufficient sanitization of user-supplied data. The vulnerability operates through a stored XSS mechanism where malicious payloads are injected into the plugin's shortcode attributes and persist in the database, making them executable whenever affected pages are accessed. Attackers with contributor privileges or above can leverage this weakness to inject malicious JavaScript code through the plugin's interface, which then executes in the context of other users' browsers when they view pages containing the compromised shortcode. This persistent nature makes the vulnerability particularly dangerous as the malicious code remains active until manually removed from the database.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform various malicious activities including session hijacking, data theft, redirection to malicious sites, and potentially full compromise of user accounts. The fact that the vulnerability requires only contributor-level permissions makes it especially concerning for WordPress installations where multiple users with varying permission levels are present, as even less privileged users could exploit this weakness to gain unauthorized access to sensitive information or manipulate content. The stored nature of the attack means that victims do not need to be actively browsing when the malicious code is injected, as the payload executes automatically upon page access.

Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the input sanitization and output escaping issues, with administrators ensuring all users are updated to the latest secure versions. System administrators should implement strict input validation procedures for all user-supplied data within the WordPress environment, particularly focusing on shortcode and attribute handling. Network monitoring should be enhanced to detect suspicious shortcode usage patterns, and regular security audits should verify that no malicious scripts have been injected into the system. Additionally, implementing content security policies and privilege separation measures can reduce the potential impact of such vulnerabilities, while regular security assessments should be conducted to identify and remediate similar issues in other plugins or themes that may exhibit similar input validation weaknesses. The ATT&CK framework categorizes this vulnerability under T1546.001 for modification of system binaries and T1059.001 for command and scripting interpreter, highlighting the persistent threat this vulnerability poses to system integrity and user security.

Responsible

Wordfence

Reservation

09/11/2023

Disclosure

11/15/2023

Moderation

accepted

CPE

ready

EPSS

0.00434

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!