CVE-2024-12807 in Social Share Buttons Plugininfo

Summary

by MITRE • 01/28/2025

The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/12/2025

The vulnerability identified as CVE-2024-12807 affects the Social Share Buttons for WordPress plugin version 2.7 and earlier, presenting a critical security risk through stored cross-site scripting flaws. This issue specifically targets high-privilege users such as administrators who possess the capability to modify plugin settings despite the WordPress installation having restricted permissions that typically disallow unfiltered_html capabilities. The vulnerability stems from insufficient sanitization and escaping of user-provided input within the plugin's administrative settings, creating an environment where malicious scripts can be persistently stored and executed whenever affected pages are accessed.

The technical flaw manifests in the plugin's failure to properly validate and sanitize input data before storing it in the WordPress database. When administrators configure social sharing buttons through the plugin's interface, they can inadvertently introduce malicious JavaScript code that gets saved without proper escaping mechanisms. This stored data becomes executable whenever the plugin renders its output, potentially affecting any user who views pages containing the compromised social sharing functionality. The vulnerability is particularly concerning in multisite environments where the unfiltered_html capability might be explicitly restricted, yet the plugin's inadequate input handling still allows for code injection.

The operational impact of this vulnerability extends beyond simple XSS attacks, as it can enable attackers to escalate privileges, steal session cookies, perform actions on behalf of authenticated users, and potentially gain full administrative control over affected WordPress installations. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, making it particularly dangerous for long-term compromise. Attackers could leverage this vulnerability to inject malicious scripts that redirect users to phishing sites, steal sensitive information, or modify content in ways that could damage the reputation and integrity of the affected websites.

Security professionals should prioritize immediate remediation of this vulnerability by updating to the latest version of the Social Share Buttons plugin where the sanitization issues have been addressed. Organizations should also implement additional monitoring and input validation measures to detect and prevent similar issues in other plugins or custom code. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and it maps to ATT&CK technique T1059.007 for script injection and T1548.001 for privilege escalation through code injection. Administrators should conduct thorough security audits of all installed plugins to identify similar sanitization issues and ensure that proper input validation is implemented throughout the WordPress ecosystem to prevent such persistent security weaknesses.

Responsible

WPScan

Reservation

12/19/2024

Disclosure

01/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00286

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!