Duncan Stuart

**Name of the Vulnerable Software and Affected Versions** Simple Share Buttons Adder plugin versions prior to 4.5 **Description** The issue allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks. This is possible via the `ssba share text` parameter in a save action to "wp-admin/options-general.php", which is not properly handled in the homepage. Additionally, there are unspecified vectors related to Pages, Posts, Category/Archive pages, or post Excerpts. **Recommendations** For versions prior to 4.5, update to version 4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/options-general.php" endpoint and avoiding the use of the `ssba share text` parameter in save actions until a patch is available.