Description
The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.
Published: 2025-06-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Social Sharing Plugin – Sassy Social Share includes a flaw where the heateor_mastodon_share parameter is not properly sanitized or escaped. This allows an unauthenticated attacker to embed malicious JavaScript that is reflected back into the page and executed in the victim’s browser. Because the vulnerable code runs client‑side, any user who follows a crafted link can become a victim, potentially resulting in script injection, defacement, or session hijacking. The weakness aligns with CWE‑79.

Affected Systems

All WordPress sites that use the heateor Social Sharing Plugin – Sassy Social Share versions up to and including 3.3.75 are affected. Administrators should confirm that their installation falls within the impacted version range and plan an update if necessary.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium risk, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. The attack vector is client‑side and requires only that a victim opens a URL containing an unsanitized heateor_mastodon_share value, such as a link that an attacker can embed in email, social media posts or malicious sites. Successful exploitation would run arbitrary JavaScript in the victim’s browser, enabling the attacker to steal credentials, redirect users, or otherwise compromise the user’s session.

Generated by OpenCVE AI on April 22, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Social Sharing Plugin – Sassy Social Share to version 3.3.76 or newer, where the heateor_mastodon_share parameter is properly sanitized and escaped.
  • If an immediate update is not possible, block or remove the mastodon share feature by disabling it in the plugin settings or by filtering the heateor_mastodon_share parameter so it no longer appears in generated URLs.
  • Implement additional input validation or an output‑escaping routine for all plugin parameters, ensuring that any externally supplied data is properly sanitized before rendering to the browser.

Generated by OpenCVE AI on April 22, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17373 The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.
History

Mon, 14 Jul 2025 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Heateor
Heateor sassy Social Share
CPEs cpe:2.3:a:heateor:sassy_social_share:*:*:*:*:*:wordpress:*:*
Vendors & Products Heateor
Heateor sassy Social Share

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 07 Jun 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.
Title Social Sharing Plugin – Sassy Social Share <= 3.3.75 - Reflected Cross-Site Scripting via 'heateor_mastodon_share' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Heateor Sassy Social Share
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:10:59.175Z

Reserved: 2025-06-03T13:46:09.631Z

Link: CVE-2025-5528

cve-icon Vulnrichment

Updated: 2025-06-09T16:02:42.599Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-07T12:15:23.157

Modified: 2025-07-14T17:26:28.117

Link: CVE-2025-5528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses