CVE-2023-40672

The Sticky Social Media Icons plugin for WordPress suffers from a Missing Authorization vulnerability, categorized as a Broken Access Control issue. The root cause is the lack of proper capability or nonce token checks in one or more functions, which would normally prevent unauthorized access. This affects all versions from n/a through 2.1 [1].

An attacker, without needing any authentication or with only low-privilege access, can exploit this by sending crafted requests to the vulnerable endpoints. No special network position is required, making it exploitable remotely. The missing checks allow unauthenticated or low-privileged users to perform actions that should require higher privileges, such as administrative functions [1].

The impact is that an attacker could modify plugin settings, inject malicious content, or potentially take over the website. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their size or popularity [1].

A patched version is available. As an immediate action, users should update the plugin to the latest version. If updating is not possible, administrators should contact their hosting provider or web developer for assistance [1].