CVE-2024-11252

MEDIUM

Sassy Social Share <= 3.3.69 - Unauthenticated Reflected XSS via heateor_mastodon_share

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-11252. PoCs published by reinh3rz.

AI-analyzed exploit summary This repository contains a functional Python script and HTML PoC demonstrating a reflected XSS vulnerability in the Sassy Social Share WordPress plugin via the `heateor_mastodon_share` parameter. The exploit sends a crafted URL with malicious JavaScript and checks if the payload executes.

Description

The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.69 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Exploits (1)

nomisec WORKING POC

by reinh3rz · poc

https://github.com/reinh3rz/CVE-2024-11252-Sassy-Social-Share-XSS

View Code ZIP pw:eip

This repository contains a functional Python script and HTML PoC demonstrating a reflected XSS vulnerability in the Sassy Social Share WordPress plugin via the `heateor_mastodon_share` parameter. The exploit sends a crafted URL with malicious JavaScript and checks if the payload executes.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Sassy Social Share WordPress Plugin

No auth needed

Prerequisites: Target site with vulnerable Sassy Social Share plugin installed

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/sassy-social-share/tags/3.3.69/public/class-sassy-social-share-public.php#L1478

Product

https://plugins.trac.wordpress.org/browser/sassy-social-share/tags/3.3.69/public/class-sassy-social-share-public.php#L1481

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/3d065c2a-da7d-469a-b57d-f2fd5b760ff4?source=cve

Scores

CVSS v3 6.1

EPSS 0.0084

EPSS Percentile 53.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

heateor/sassy_social_share < 3.3.70

heateor/Social Sharing Plugin – Sassy Social Share < 3.3.69

Published Nov 30, 2024

Tracked Since Feb 18, 2026