Search criteria
5 vulnerabilities by wpsocialrocket
CVE-2024-9702 (GCVE-0-2024-9702)
Vulnerability from cvelistv5 – Published: 2025-01-07 05:23 – Updated: 2025-01-07 16:15
VLAI?
Title
Social Rocket <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| socialrocket | Social Rocket – Social Sharing Plugin |
Affected:
* , ≤ 1.3.4
(semver)
|
Credits
Peter Thaleikis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:52:49.251850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:15:24.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Social Rocket \u2013 Social Sharing Plugin",
"vendor": "socialrocket",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Social Rocket \u2013 Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027socialrocket-floating\u0027 shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T05:23:56.167Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8d4d948e-359e-4514-9c8f-dbd8198ef4fe?source=cve"
},
{
"url": "https://wordpress.org/plugins/social-rocket/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T16:28:37.000+00:00",
"value": "Disclosed"
}
],
"title": "Social Rocket \u003c= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9702",
"datePublished": "2025-01-07T05:23:56.167Z",
"dateReserved": "2024-10-09T18:32:35.427Z",
"dateUpdated": "2025-01-07T16:15:24.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9697 (GCVE-0-2024-9697)
Vulnerability from cvelistv5 – Published: 2025-01-07 05:23 – Updated: 2025-01-07 16:16
VLAI?
Title
Social Rocket – Social Sharing Plugin <= 1.3.4 - Missing Authorization to Settings Update
Summary
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweet_settings_save() and tweet_settings_update() functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| socialrocket | Social Rocket – Social Sharing Plugin |
Affected:
* , ≤ 1.3.4
(semver)
|
Credits
Tieu Pham Trong Nhan
BrokenAC ignore
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9697",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:55:42.619375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:16:42.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Social Rocket \u2013 Social Sharing Plugin",
"vendor": "socialrocket",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
},
{
"lang": "en",
"type": "finder",
"value": "BrokenAC ignore"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Social Rocket \u2013 Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweet_settings_save() and tweet_settings_update() functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T05:23:52.882Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/168dd2d4-bffb-4187-afc7-02fef8cb51a7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/social-rocket/trunk/admin/includes/class-social-rocket-admin.php#L5501"
},
{
"url": "https://plugins.trac.wordpress.org/browser/social-rocket/trunk/admin/includes/class-social-rocket-admin.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/social-rocket/trunk/admin/includes/class-social-rocket-admin.php#L5531"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T16:28:47.000+00:00",
"value": "Disclosed"
}
],
"title": "Social Rocket \u2013 Social Sharing Plugin \u003c= 1.3.4 - Missing Authorization to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9697",
"datePublished": "2025-01-07T05:23:52.882Z",
"dateReserved": "2024-10-09T17:19:08.392Z",
"dateUpdated": "2025-01-07T16:16:42.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37258 (GCVE-0-2024-37258)
Vulnerability from cvelistv5 – Published: 2024-07-22 09:06 – Updated: 2024-08-02 03:50
VLAI?
Title
WordPress Social Rocket plugin <= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Social Rocket allows Reflected XSS.This issue affects Social Rocket: from n/a through 1.3.3.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Social Rocket | Social Rocket |
Affected:
n/a , ≤ 1.3.3
(custom)
|
Credits
Dimas Maulana (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T13:33:48.335944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T13:33:59.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.246Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/social-rocket/wordpress-social-rocket-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "social-rocket",
"product": "Social Rocket",
"vendor": "Social Rocket",
"versions": [
{
"changes": [
{
"at": "1.3.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dimas Maulana (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Social Rocket allows Reflected XSS.\u003cp\u003eThis issue affects Social Rocket: from n/a through 1.3.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Social Rocket allows Reflected XSS.This issue affects Social Rocket: from n/a through 1.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T09:06:02.455Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/social-rocket/wordpress-social-rocket-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.3.4 or a higher version."
}
],
"value": "Update to 1.3.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Social Rocket plugin \u003c= 1.3.3 - Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37258",
"datePublished": "2024-07-22T09:06:02.455Z",
"dateReserved": "2024-06-04T16:46:57.740Z",
"dateUpdated": "2024-08-02T03:50:55.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3136 (GCVE-0-2022-3136)
Vulnerability from cvelistv5 – Published: 2022-10-10 00:00 – Updated: 2024-08-03 01:00
VLAI?
Title
Social Rocket < 1.3.3 - Admin+ Stored Cross-Site Scripting
Summary
The Social Rocket WordPress plugin before 1.3.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Social Rocket – Social Sharing Plugin |
Affected:
1.3.3 , < 1.3.3
(custom)
|
Credits
Asif Nawaz Minhas
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:00:10.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/913d7e78-23f6-4b0d-aca3-17051a2dc649"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Social Rocket \u2013 Social Sharing Plugin",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.3.3",
"status": "affected",
"version": "1.3.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Asif Nawaz Minhas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Social Rocket WordPress plugin before 1.3.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-10T00:00:00",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/913d7e78-23f6-4b0d-aca3-17051a2dc649"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Social Rocket \u003c 1.3.3 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3136",
"datePublished": "2022-10-10T00:00:00",
"dateReserved": "2022-09-06T00:00:00",
"dateUpdated": "2024-08-03T01:00:10.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5611 (GCVE-0-2020-5611)
Vulnerability from cvelistv5 – Published: 2020-07-27 06:55 – Updated: 2024-08-04 08:30
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in Social Sharing Plugin versions prior to 1.2.10 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Social Rocket | Social Sharing Plugin |
Affected:
versions prior to 1.2.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/social-rocket/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN05502028/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Social Sharing Plugin",
"vendor": "Social Rocket",
"versions": [
{
"status": "affected",
"version": "versions prior to 1.2.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Social Sharing Plugin versions prior to 1.2.10 allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T06:55:12",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/social-rocket/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN05502028/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5611",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Social Sharing Plugin",
"version": {
"version_data": [
{
"version_value": "versions prior to 1.2.10"
}
]
}
}
]
},
"vendor_name": "Social Rocket"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Social Sharing Plugin versions prior to 1.2.10 allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/social-rocket/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/social-rocket/"
},
{
"name": "https://jvn.jp/en/jp/JVN05502028/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN05502028/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5611",
"datePublished": "2020-07-27T06:55:12",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:30:24.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}