Cross Site Scripting (XSS)
This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit websites. This security issue has a low severity impact and is unlikely to be exploited.
But This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Please advise. Thank you very much
This was fixed in the 3.3.0 release–I submitted the fix to Patchstack, but they haven’t replied yet.
Thank you very much for news.
Good plugin !
Thank you for the update…and the great plugin!
Hi Robin,
Just wondering what the best way forward is. I use this plugin on 20+ client sites – and ManageWP, Wordfence etc are all sending daily email security alerts. For whatever reason, Patchstack have decided that the 3.3.0 version has vulnerabilities. Maybe you could try bumping the version to 3.3.1 and submitting that to see if it gets a more prompt response?
Thanks,
Ben
I’m concerned about this as well, and agree with @badlydrawnben’s suggestion.
Hi,
For info, Really Simple Sécurity and Wordfence are all sending daily email security alerts for this :
The Scriptless Social Sharing plugin for WordPress has a security issue that allows attackers to inject harmful code into pages on a website.
Detected in:
Scriptless Social Sharing open vulnerable versions: >= * <= 3.3.0
I reached out to Patchstack regarding the vulnerability on June 12 and this was their response …
Hello, as you can see, the latest version is still marked as vulnerable. This indicates that either no patch has been released or the existing patch is incomplete. We’ve already notified the vendor about the issue and also informed them via email regarding problems with the patch (May 12, 2025), but we have not received any response so far.
I had a similar problem a few months ago with another plugin that took a long time to get resolved, I’m not sure what the issue was.
The specific replication steps were addressed in the 3.3.0 release, but the Patchstack reporter requested further changes. I’ve made those and have submitted them for review and am awaiting a reply.
Specifically, the vulnerability reported exists in a low level user submitting a draft with the shortcode, not with the default buttons output.
I will try to reach out to Patchstack again–I apologize for the frustration and delay on this.
@littlerchicken, have you heard back back from Patchstack? If not, could you release an updated plugin containing the fix? Maybe the change in version number along with fixing the vulnerability will cause Patchstack to stop flagging it as vulnerable.
@littlerchicken, can you please reply? As you can see, many people are looking for a status update.
@littlerchicken, please reply as soon as you’re able. Security vulnerabilities are serious, and several people have requested a status update. I’m sure many other users of your plugin who haven’t taken the time to post are also wondering about this.
My apologies for the delay. I’ve just released 3.3.1 with a confirmed fix.
@littlerchicken Thank you! 3.3.1 is no longer being flagged as vulnerable.
