CVE-2024-12807: 
WordPress vulnerability analysis and mitigation

The Social Share Buttons for WordPress plugin through version 2.7 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Bob Matyas and publicly disclosed on January 6, 2025. This security issue affects the plugin's settings functionality, particularly impacting WordPress installations, including multisite setups (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The issue has been assigned a CVSS 3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified under OWASP Top 10 category A7: Cross-Site Scripting (XSS) and CWE-79 (NVD, WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is disallowed. This is particularly significant in multisite WordPress installations where such restrictions are commonly implemented (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Social Share Buttons for WordPress plugin should monitor for updates and consider implementing additional security controls or alternative solutions (WPScan).