CVE-2023-3320

Name of the Vulnerable Software and Affected Versions WP Sticky Social plugin for WordPress versions up to, and including, 1.0.1

Description The issue is due to missing nonce validation in the ~/admin/views/admin.php file, making it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request. This can be achieved if an attacker can trick a site administrator into performing an action, such as clicking on a link.

Recommendations For WP Sticky Social plugin for WordPress versions up to, and including, 1.0.1, consider disabling the plugin until a patch is available to prevent modification of the plugin's settings and injection of malicious web scripts. Restrict access to the ~/admin/views/admin.php file to minimize the risk of exploitation. Avoid performing actions that could be triggered by a forged request, such as clicking on links from untrusted sources, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.