Cyber Resilience

CVE-2023-2779

MediumPublic PoC

Published: 19 June 2023

Published
19 June 2023
Modified
12 December 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.3075 96.8th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2779 is a medium-severity an unspecified weakness vulnerability in Heator Social Share\, Social Login And Social Comments. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Social Share, Social Login and Social Comments WordPress plugin, also known as Super Socializer, prior to version 7.13.52 contains a reflected cross-site scripting vulnerability. The plugin fails to sanitize and escape an unspecified parameter before reflecting it back into a page response, allowing script execution in the context of a visiting user.

An unauthenticated attacker can exploit the flaw by crafting a malicious link or request that triggers the vulnerable parameter. When a high-privilege user such as an administrator follows the link, the attacker can execute arbitrary JavaScript within the administrator's session, enabling actions such as account takeover or unauthorized configuration changes. The CVSS 6.1 score reflects network attack vector, low complexity, no required privileges, required user interaction, and changed scope with limited impacts on confidentiality and integrity.

Public advisories from WPScan and PacketStorm confirm the reflected XSS issue and indicate that updating the plugin to version 7.13.52 or later addresses the flaw. The associated EPSS score has remained in a moderate range with a current value of 0.3075 and a peak of 0.3453, showing no material post-disclosure rise that would indicate emerging exploitation interest.

EU & UK References

Vulnerability details

The Social Share, Social Login and Social Comments WordPress plugin before 7.13.52 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users…

more

such as admin.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

heator
social share\, social login and social comments
≤ 7.13.52

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References