The MashShare plugin, used within WordPress from earlier versions through 4.0.47, contains a missing authorization flaw that permits any visitor to reach administrative configuration pages without authentication. This breach results in the ability to modify the plugin’s settings, alter social sharing behavior, or disable the plugin entirely. The underlying weakness is documented as CWE‑862 and constitutes an access control failure rather than a data breach or code execution vulnerability.

WordPress sites that have installed the DearHive Social Media Share Buttons plugin, commonly referred to as MashShare, are at risk if the installed version is 4.0.47 or older. No specific server software or operating system is referenced, so the vulnerability applies broadly across any environment running WordPress where the affected plugin is active.

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1 % suggests low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw allows unauthenticated manipulation of administrative URLs, the most likely attack vector is over standard HTTP requests to the plugin’s administrative endpoints, meaning remote attackers can trigger it by sending crafted requests from any network that can reach the site.