Lucene search
Dmitrii IgnatyevWPEX-ID:04B2FEBA-E009-4FCE-8539-5DFDB4300433HistoryMay 28, 2024 - 12:00 a.m.
Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
2024-05-2800:00:00
Dmitrii Ignatyev
8
share buttons adder
stored xss
admin
plugin
settings
additional css
payload
save settings
trigger
page reload
5.9 Medium
AI Score
Confidence
High
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
1. Go to the plugin settings
2. In the "Additional CSS" field, enter the payload `</style><img src=x onerror=alert(/XSS/)>`
3. Save settings and see the XSS when the page reloadsReferences
Related
cvelist
cvelist
CVE-2024-4094 Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
2024-06-18 06:00:02
vulnrichment
vulnrichment
CVE-2024-4094 Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
2024-06-18 06:00:02
wpvulndb
wpvulndb
Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
2024-05-28 00:00:00
nvd
nvd
CVE-2024-4094
2024-06-18 06:15:12
cve
cve
CVE-2024-4094
2024-06-18 06:15:12
wordfence
wordfence