CVE-2023-2779
Published: 19 June 2023
Summary
CVE-2023-2779 is a medium-severity an unspecified weakness vulnerability in Heator Social Share\, Social Login And Social Comments. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Social Share, Social Login and Social Comments WordPress plugin, also known as Super Socializer, prior to version 7.13.52 contains a reflected cross-site scripting vulnerability. The plugin fails to sanitize and escape an unspecified parameter before reflecting it back into a page response, allowing script execution in the context of a visiting user.
An unauthenticated attacker can exploit the flaw by crafting a malicious link or request that triggers the vulnerable parameter. When a high-privilege user such as an administrator follows the link, the attacker can execute arbitrary JavaScript within the administrator's session, enabling actions such as account takeover or unauthorized configuration changes. The CVSS 6.1 score reflects network attack vector, low complexity, no required privileges, required user interaction, and changed scope with limited impacts on confidentiality and integrity.
Public advisories from WPScan and PacketStorm confirm the reflected XSS issue and indicate that updating the plugin to version 7.13.52 or later addresses the flaw. The associated EPSS score has remained in a moderate range with a current value of 0.3075 and a peak of 0.3453, showing no material post-disclosure rise that would indicate emerging exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34237
Vulnerability details
The Social Share, Social Login and Social Comments WordPress plugin before 7.13.52 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users…
more
such as admin.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.