Social Share Buttons – Social Pug <= 1.2.5 – Authenticated Cross-Site Scripting (XSS) | CVE 2016-10736

Affects Plugins

social-pug

Fixed in 1.2.6

References

CVE

CVE-2016-10736

URL

https://plugins.trac.wordpress.org/changeset/1549711

URL

https://advisories.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/

URL

https://seclists.org/fulldisclosure/2016/Dec/37

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

Mallory Adams (dxw)

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

b0ec5b92-a990-428d-abc7-af2e8b0c0e3e

Timeline

Publicly Published

2016-12-09 (about 7 years ago)

Added

2016-12-11 (about 7 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2024-02-19

Title

Schema & Structured Data for WP & AMP < 1.27 - Authenticated Stored XSS

Published

2022-12-20

Title

Metricool < 1.18 - Admin+ Stored XSS

Published

2021-06-07

Title

Stripe Payment Gateway for WooCommerce < 3.6.0 - Reflected Cross-Site Scripting (XSS)

Published

2023-09-01

Title

WP Default Feature Image <= 1.0.1.1 - Admin+ Stored XSS

Published

2023-01-17

Title

Easy Accept Payments for PayPal < 4.9.10 - Contributor+ Stored XSS