CVE-2024-3984

Vulnerability

The EmbedSocial – Social Media Feeds, Reviews and Galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.1.29. The vulnerability resides in the embedsocial_reviews shortcode where user-supplied attributes are not properly sanitized before being output, due to insufficient input sanitization and output escaping [1]. This allows the injection of arbitrary web scripts into pages.

Exploitation

An authenticated attacker with contributor-level access or above can exploit this vulnerability by crafting a malicious shortcode attribute (e.g., in a WordPress post or page) containing JavaScript code. When the injected page is accessed by any user, the script executes in the context of the victim's browser. No other privileges or user interaction beyond viewing the page are required [1].

Impact

Successful exploitation leads to Stored XSS, allowing the attacker to execute arbitrary JavaScript in the browsers of users who visit the compromised page. This can result in session hijacking, defacement, redirection to malicious sites, or theft of sensitive information. The attacker gains the ability to perform actions on behalf of the victim within the WordPress site, potentially escalating to full site compromise if an administrator visits the page [1].

Mitigation

The vendor has not released a patched version as of the publication date (2024-06-19). The available references do not specify a fixed version or workaround. Until a patch is available, users should restrict contributor-level and above access to trusted users and consider temporarily disabling the plugin if feasible [1].