Shunsuke Aoki

**Name of the Vulnerable Software and Affected Versions** WP Sticky Social plugin for WordPress versions up to, and including, 1.0.1 **Description** The issue is due to missing nonce validation in the ~/admin/views/admin.php file, making it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request. This can be achieved if an attacker can trick a site administrator into performing an action, such as clicking on a link. **Recommendations** For WP Sticky Social plugin for WordPress versions up to, and including, 1.0.1, consider disabling the plugin until a patch is available to prevent modification of the plugin's settings and injection of malicious web scripts. Restrict access to the ~/admin/views/admin.php file to minimize the risk of exploitation. Avoid performing actions that could be triggered by a forged request, such as clicking on links from untrusted sources, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.