CVE-2021-39321

Name of the Vulnerable Software and Affected Versions: Sassy Social Share WordPress plugin version 3.3.23

Description: The issue arises from PHP Object Injection via the wp ajax heateor sss import config AJAX action, due to the deserialization of unvalidated user-supplied inputs via the import config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users because of a missing capability check on the import config function.

Recommendations: For version 3.3.23, consider disabling the import config function until a patch is available to prevent exploitation via the wp ajax heateor sss import config AJAX action. Restrict access to the ~/admin/class-sassy-social-share-admin.php file to minimize the risk of exploitation. Avoid using the import config function in the affected AJAX endpoint until the issue is resolved.