CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3648 – ShareThis Share Buttons <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via sharethis-inline-buttons Shortcode
https://notcve.org/view.php?id=CVE-2024-3648
The ShareThis Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sharethis-inline-button' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento ShareThis Share Buttons para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del código corto 'sharethis-inline-button' del complemento en todas las versiones hasta la 2.3.0 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3089529/sharethis-share-buttons https://www.wordfence.com/threat-intel/vulnerabilities/id/03b37c90-4bb5-4003-a440-3fb57a5c1cae?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36848 – WordPress Social Media Feather plugin <= 2.0.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36848
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Social Media Feather (WordPress plugin) versions <= 2.0.4 Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado (admin+) en Social Media Feather (plugin de WordPress) versiones anteriores a 2.0.4 incluyéndola • https://patchstack.com/database/vulnerability/social-media-feather/wordpress-social-media-feather-plugin-2-0-4-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/social-media-feather/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24438 – ShareThis Dashboard for Google Analytics < 2.5.2 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24438
The ShareThis Dashboard for Google Analytics WordPress plugin before 2.5.2 does not sanitise or escape the 'ga_action' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator El plugin de WordPress ShareThis Dashboard for Google Analytics versiones anteriores a 2.5.2, no sanea ni escapa del parámetro "ga_action" en la vista de estadísticas antes de devolverlo en un atributo cuando el plugin está conectado a una cuenta de Google Analytics, conllevando a un problema de tipo Cross-Site Scripting reflejado que será ejecutado en el contexto de un administrador conectado. • https://wpscan.com/vulnerability/af472879-9328-45c2-957f-e7bed77e4c2d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 35EXPL: 4CVE-2014-4717 – Simple Share Buttons Adder <= 4.4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-4717
Multiple cross-site request forgery (CSRF) vulnerabilities in the Simple Share Buttons Adder plugin before 4.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) ssba_share_text parameter in a save action to wp-admin/options-general.php, which is not properly handled in the homepage, and unspecified vectors related to (2) Pages, (3) Posts, (4) Category/Archive pages or (5) post Excerpts. Múltiples vulnerabilidades de CSRF en el plugin Simple Share Buttons Adder anterior a 4.5 para WordPress permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que realizan ataques de XSS a través del parámetro (1) ssba_share_text en una acción de guardar en wp-admin/options-general.php, lo cual no se maneja debidamente en la página web principal, y vectores no especificados relacionado con las páginas (2) Pages, (3) Posts, (4) Category/Archive o (5) extractos de correos. The Simple Share Buttons Adder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4. This is due to missing nonce validation on simple-share-buttons-adder page. This makes it possible for unauthenticated attackers to inject malicious web scripts via the 'ssba_share_text' parameter through a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://www.exploit-db.com/exploits/33896 http://packetstormsecurity.com/files/127238/WordPress-Simple-Share-Buttons-Adder-4.4-CSRF-XSS.html http://seclists.org/fulldisclosure/2014/Jun/138 https://security.dxw.com/advisories/csrf-and-stored-xss-in-simple-share-buttons-adder https://wordpress.org/plugins/simple-share-buttons-adder/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2013-3479 – ShareThis <= 7.0.5 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-3479
Cross-site request forgery (CSRF) vulnerability in the ShareThis plugin before 7.0.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings. Vulnerabilidad CSRF (Cross-site request forgery) en el plugin ShareThis anterior a v7.0.6 para WordPress permite a atacantes remotos secuestrar la autenticación de los administradores para solicitudes que modifican la configuración de este plugin. • http://secunia.com/advisories/53135 http://wordpress.org/plugins/share-this/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •