Sassy Social Share <= 3.3.3 - Cross-Site Scripting (XSS)



Description
AJAX endpoints which returns JSON data has no Content-Type header set, and uses default text/html. Any JSON that has HTML will be rendered as such.
Proof of Concept
PoC URL (uses unauthenticated action "heateor_sss_sharing_count"):
http://WORDPRESS_DOMAIN_HERE/wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[<img%20src%3dx%20onerror%3dalert(document.domain)>]=

Other authenticated AJAX actions may also lead to reflected XSS, but not tested.

Affects Plugin

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Original Researcher Nicholas Mun
Submitter Nicholas Mun
Submitter Twitter NRockhouse
Views 9163
Verified No
WPVDB ID 9953

Timeline

Publicly Published 2019-11-17 (28 days ago)
Added 2019-11-18 (27 days ago)
Last Updated 2019-11-25 (20 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin