CVE-2023-3320

MEDIUM

WP Sticky Social <= 1.0.1 - Cross-Site Request Forgery and Stored Cross-Site Scripting via Missing Nonce Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-3320. PoCs published by Amirhossein Bahramizadeh.

AI-analyzed exploit summary This exploit demonstrates a CSRF to stored XSS vulnerability in WP Sticky Social 1.0.1 by crafting a malicious POST request to the plugin's settings page. It requires an authenticated session and leverages a generated nonce to bypass CSRF protections.

Description

The WP Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation in the ~/admin/views/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Exploits (1)

exploitdb WORKING POC
by Amirhossein Bahramizadeh · pythonwebappsphp
https://www.exploit-db.com/exploits/51533

This exploit demonstrates a CSRF to stored XSS vulnerability in WP Sticky Social 1.0.1 by crafting a malicious POST request to the plugin's settings page. It requires an authenticated session and leverages a generated nonce to bypass CSRF protections.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: WP Sticky Social 1.0.1
Auth required
Prerequisites: Authenticated WordPress session · Target plugin installed and activated
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.1
EPSS 0.0133
EPSS Percentile 67.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (1)
wp_sticky_social_project/wp_sticky_social < 1.0.1
Published Jun 20, 2023
Tracked Since Feb 18, 2026