CVE-2024-1448 in Sassy Social Share Plugininfo

Summary

by MITRE • 02/29/2024

The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.3.56 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/12/2026

The vulnerability identified as CVE-2024-1448 affects the Social Sharing Plugin – Sassy Social Share plugin for WordPress, representing a critical stored cross-site scripting vulnerability that has significant implications for WordPress site security. This flaw exists in all versions up to and including 3.3.56, making it a widespread concern for WordPress administrators who have not yet updated their installations. The vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation, creating a persistent security weakness that can be exploited by malicious actors with relatively low privileges.

The technical nature of this vulnerability allows authenticated attackers who possess contributor-level permissions or higher to inject malicious scripts through the plugin's shortcode functionality. These scripts become permanently stored within the WordPress database and execute whenever any user accesses pages containing the injected content. This stored XSS vulnerability operates by bypassing the normal input validation checks that should occur when users submit data through the plugin's interface. The flaw specifically targets the handling of user-supplied attributes within the shortcode parameters, where insufficient sanitization allows malicious payloads to persist and execute in the context of other users' browsers.

The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, defacement of content, and redirection to malicious websites. Since contributors and above have the ability to create and modify content, they can leverage this vulnerability to inject scripts into posts, pages, or other content areas where the social sharing plugin shortcodes are used. The persistent nature of stored XSS means that the malicious scripts will execute for every visitor who accesses the affected pages, potentially compromising a large number of users over time. This vulnerability essentially transforms the compromised user account into a vector for further attacks against other users within the same WordPress installation.

Organizations and WordPress administrators should immediately prioritize updating the Sassy Social Share plugin to the latest version that addresses this vulnerability, as the affected versions represent a significant risk to website security. The remediation process should include not only updating the plugin but also auditing existing content for any potential malicious scripts that may have been injected prior to the fix. Security best practices recommend implementing additional layers of protection including web application firewalls, content security policies, and regular security audits to prevent similar vulnerabilities from occurring in other plugins or themes. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear example of how insufficient input validation can create persistent security risks in web applications. From an ATT&CK perspective, this vulnerability could be categorized under techniques involving code injection and privilege escalation, as it allows attackers to execute arbitrary code with the privileges of the compromised user account.

Responsible

Wordfence

Reservation

02/12/2024

Disclosure

02/29/2024

Moderation

accepted

CPE

ready

EPSS

0.00474

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!