CVE-2024-3648 - Exploiting Stored XSS in ShareThis Share Buttons WordPress Plugin (Up to v2.3.)

A significant security vulnerability has been discovered in the popular ShareThis Share Buttons WordPress plugin. Identified as CVE-2024-3648, this flaw allows attackers with basic contributor permissions to execute arbitrary JavaScript on vulnerable sites through stored cross-site scripting (XSS). This could lead to hijacking accounts, redirecting visitors, or defacing your WordPress site.

> CVE-2024-3648 affects all versions of ShareThis Share Buttons up to and including 2.3. via the [sharethis-inline-button] shortcode.

Let’s break down how this exploit works, provide a proof-of-concept, and explain how you can protect your site.

Where’s the Bug?

The plugin’s [sharethis-inline-button] shortcode accepts several user attributes. Unfortunately, it does not properly clean or escape attributes before displaying them, allowing contributors and above to insert malicious code.

This means any user with contributor access can inject scripts using the shortcode, by simply creating a post or page with manipulated shortcode attributes.

Here’s how an attacker might abuse the shortcode

[sharethis-inline-button url="https://victim.site"; title="<script>alert('XSS!');</script>"]

When a visitor or admin views this content, the browser executes the injected script.

`plaintext

[sharethis-inline-button title='">']

Anyone who visits the post will trigger the alert, confirming XSS.

Note: Attackers can write more sophisticated payloads to steal session tokens, inject ads, or redirect users.

Here’s a simple JavaScript injection using the vulnerable shortcode

[sharethis-inline-button title='"><img src=x onerror=alert("Hacked!")>']

What happens?
When rendered, the browser interprets the injected inline HTML and executes the JavaScript.

Real-World Exploitation

- Only contributor-level (or higher) users can exploit this (default can write posts but can't publish).

Patch Status & Recommendations

ShareThis Share Buttons version 2.3. and below are vulnerable. At the time of writing, check for official plugin updates and apply patches as soon as possible.

Disable the plugin until an update is released.

- Use a security plugin (like Wordfence) to monitor for suspicious code injections.

References

- NVD - CVE-2024-3648
- WPScan Advisory - ShareThis Share Buttons XSS
- Plugin page: ShareThis Share Buttons

Conclusion

CVE-2024-3648 is a high-risk, stored XSS vulnerability in ShareThis Share Buttons for WordPress. While it requires at least contributor permissions, it poses a real threat on multi-user sites. Update immediately when a patch is available and review your site's user roles.

Stay safe, update often, and audit any WordPress plugins for similar risks!

*Exclusive content by AI — summarize and share responsibly!*

Timeline

Published on: 05/23/2024 07:15:09 UTC
Last modified on: 08/01/2024 20:19:59 UTC