CVE-2024-33693

The Meks Smart Social Widget plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This issue affects plugin versions from n/a through 1.6.4. The vulnerability allows attackers to inject arbitrary scripts that are stored in the widget's settings.

To exploit this vulnerability, an attacker must have authenticated access to the WordPress admin panel with the ability to modify widget settings (e.g., an administrator role). Upon injection, the malicious script is stored and executed when other users, including site visitors, load pages containing the widget [1]. User interaction is not required from the victim; the script executes automatically.

Successful exploitation could allow an attacker to perform actions such as redirecting visitors to malicious sites, displaying advertisements, stealing cookies, or defacing the website [1]. This vulnerability is classified with a CVSS v3 score of 5.9 (Medium) and is known to be used in mass-exploit campaigns against thousands of websites.

The vulnerability has been patched in version 1.6.5 of the plugin. Users are strongly advised to update to this version or enable automatic updates for vulnerable plugins [1]. If immediate update is not possible, restricting access to plugin settings or consulting a web developer is recommended.