CVE-2024-2118 in Social Media Share Buttons & Social Sharing Icons Plugininfo

Summary

by MITRE • 04/17/2024

The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/09/2025

The vulnerability identified as CVE-2024-2118 affects the Social Media Share Buttons & Social Sharing Icons WordPress plugin, specifically versions prior to 2.8.9. This issue represents a critical security flaw that undermines the plugin's ability to properly handle user input, creating opportunities for persistent malicious code execution within WordPress environments. The vulnerability stems from insufficient sanitization and escaping of plugin settings, which allows attackers to inject malicious scripts that persist across user sessions and page loads.

The technical nature of this vulnerability manifests as a stored cross-site scripting vulnerability that specifically targets high-privilege users such as administrators. While WordPress typically restricts unfiltered HTML input through capability checks, this flaw enables attackers to bypass such protections even in multisite configurations where security measures are heightened. The vulnerability occurs because the plugin fails to properly validate and sanitize user-supplied data before storing it in the database, allowing malicious payloads to be permanently embedded within the plugin's configuration settings. This stored nature of the vulnerability means that the malicious scripts execute whenever affected pages are loaded, regardless of the current user's permissions or capabilities.

The operational impact of CVE-2024-2118 extends beyond simple script injection, as it provides attackers with persistent access to administrative functions and sensitive data. When an administrator visits pages containing the vulnerable plugin, their browser executes the stored malicious scripts, potentially leading to complete compromise of the WordPress installation. Attackers can leverage this vulnerability to escalate privileges, modify content, steal session cookies, or perform unauthorized administrative actions. The vulnerability's persistence across sessions makes it particularly dangerous as it remains active even after the initial injection, creating long-term exposure windows for affected systems. This type of vulnerability directly aligns with CWE-79, which describes cross-site scripting flaws, and maps to attack techniques in the ATT&CK framework under T1566 for social engineering and T1071 for application layer protocols.

Mitigation strategies for CVE-2024-2118 require immediate action including upgrading the affected plugin to version 2.8.9 or later, which contains the necessary sanitization fixes. Administrators should also implement additional defensive measures such as monitoring for suspicious plugin settings changes, reviewing stored data for malicious content, and ensuring proper capability restrictions are in place. The vulnerability demonstrates the importance of input validation and output escaping in web applications, particularly in content management systems where plugins handle user input. Organizations should conduct thorough security assessments of all installed plugins to identify similar vulnerabilities, as this flaw highlights the broader issue of inadequate sanitization practices in third-party WordPress extensions. Regular security audits and patch management processes become essential in preventing exploitation of such persistent vulnerabilities that can compromise entire WordPress installations.

Reservation

03/01/2024

Disclosure

04/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00405

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!