CVE-2025-32239

Vulnerability

The Social Share Buttons & Analytics Plugin – GetSocial.io (wp-share-buttons-analytics-by-getsocial) versions up to and including 4.5 contain a missing authorization vulnerability [1]. The plugin fails to properly verify access rights, allowing exploitation of incorrectly configured access control security levels. This issue affects all versions from n/a through 4.5 [1].

Exploitation

An attacker needs no authentication; the vulnerability lies in the plugin's access control logic. By crafting requests to endpoints that lack authorization checks, an attacker can bypass intended permission requirements. No user interaction or special network position is required beyond standard HTTP access to the WordPress site [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privilege users. The exact capabilities gained depend on the specific misconfigured endpoint, but the core impact is unauthorized access to plugin functionality or data, leading to information disclosure or partial privilege escalation. This could expose sensitive configuration or analytics data protected by the missing authorization checks [1].

Mitigation

The vendor released version 4.5 as the latest version on 2024-04-30 [1]. Users should update to a patched version if one becomes available. As of publication date 2025-04-04, no security update beyond 4.5 is listed. Mitigating controls include reviewing and hardening WordPress role and capability configurations, and applying the principle of least privilege to plugin settings. The plugin has been downloaded over 533,000 times and is tested up to WordPress 6.5.8 [1].