CVE-2014-4717 – Simple Share Buttons Adder <= 4.4 - Cross-Site Request Forgery

https://notcve.org/view.php?id=CVE-2014-4717

Multiple cross-site request forgery (CSRF) vulnerabilities in the Simple Share Buttons Adder plugin before 4.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) ssba_share_text parameter in a save action to wp-admin/options-general.php, which is not properly handled in the homepage, and unspecified vectors related to (2) Pages, (3) Posts, (4) Category/Archive pages or (5) post Excerpts. Múltiples vulnerabilidades de CSRF en el plugin Simple Share Buttons Adder anterior a 4.5 para WordPress permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que realizan ataques de XSS a través del parámetro (1) ssba_share_text en una acción de guardar en wp-admin/options-general.php, lo cual no se maneja debidamente en la página web principal, y vectores no especificados relacionado con las páginas (2) Pages, (3) Posts, (4) Category/Archive o (5) extractos de correos. The Simple Share Buttons Adder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4. This is due to missing nonce validation on simple-share-buttons-adder page. This makes it possible for unauthenticated attackers to inject malicious web scripts via the 'ssba_share_text' parameter through a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://www.exploit-db.com/exploits/33896 http://packetstormsecurity.com/files/127238/WordPress-Simple-Share-Buttons-Adder-4.4-CSRF-XSS.html http://seclists.org/fulldisclosure/2014/Jun/138 https://security.dxw.com/advisories/csrf-and-stored-xss-in-simple-share-buttons-adder https://wordpress.org/plugins/simple-share-buttons-adder/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •