CVE-2024-1685

Name of the Vulnerable Software and Affected Versions Social Media Share Buttons plugin for WordPress versions up to, and including, 2.1.0

Description The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For Social Media Share Buttons plugin for WordPress versions up to, and including, 2.1.0, consider updating to a version that fixes this issue, as no specific workaround is provided for these versions. As a temporary workaround, consider restricting access to the attachmentUrl parameter to minimize the risk of exploitation. Avoid using the attachmentUrl parameter in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.