The Sticky Social Icons WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
History

Fri, 06 Dec 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Sticky Social Icons
Sticky Social Icons sticky Social Icons
Weaknesses CWE-79
CPEs cpe:2.3:a:sticky_social_icons:sticky_social_icons:*:*:*:*:*:*:*:*
Vendors & Products Sticky Social Icons
Sticky Social Icons sticky Social Icons
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 06 Dec 2024 06:15:00 +0000

Type Values Removed Values Added
Description The Sticky Social Icons WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Title Sticky Social Icons <= 1.2.1 - Admin+ Stored XSS
References

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2024-12-06T06:00:08.221Z

Updated: 2024-12-06T15:59:27.835Z

Reserved: 2024-10-30T17:18:45.731Z

Link: CVE-2024-10551

cve-icon Vulnrichment

Updated: 2024-12-06T15:59:21.832Z

cve-icon NVD

Status : Received

Published: 2024-12-06T06:15:22.090

Modified: 2024-12-06T16:15:20.160

Link: CVE-2024-10551

cve-icon Redhat

No data.