CVE-2022-4971

MEDIUM EXPLOITED NUCLEI

Heateor Sassy Social Share < 3.3.3 - XSS

Title source: rule

Description

The Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'urls' parameter called via the 'heateor_sss_sharing_count' AJAX action in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Nuclei Templates (1)

Sassy Social Share <= 3.3.3 - Cross-Site Scripting

MEDIUMVERIFIEDby popcorn94

Shodan: http.html:"/wp-content/plugins/sassy-social-share"

FOFA: body=/wp-content/plugins/sassy-social-share/

References (2)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/4631519b-2060-43a0-b69b-b3d7ed94c705/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/85277960-2bba-4cd7-9f4c-e04f6743b96c?source=cve

Scores

CVSS v3 6.1

EPSS 0.1013

EPSS Percentile 93.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

VulnCheck KEV 2024-10-15

CWE

CWE-79

Status published

Products (2)

heateor/sassy_social_share < 3.3.3

heateor/Social Sharing Plugin – Sassy Social Share < 3.3.3

Published Oct 16, 2024

Tracked Since Feb 18, 2026