CVE-2023-3666
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-03

Last updated on: 2025-09-04

Assigner: WPScan

Description
The Sticky Side Buttons WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-03
Last Modified
2025-09-04
Generated
2026-05-07
AI Q&A
2025-09-03
EPSS Evaluated
2026-05-05
NVD
CVE-2023-3666
EUVD
EUVD-2023-44310
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress sticky_side_buttons *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2023-3666 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin 'Sticky Side Buttons' versions before 2.0.0. The plugin does not properly sanitize and escape certain settings, such as the 'Button Text' field, allowing high privilege users like administrators to inject malicious JavaScript code. This can happen even if the WordPress capability 'unfiltered_html' is disabled, for example in multisite setups. When the injected script is saved and the page is refreshed, the malicious code executes in the browser. [1]


How can this vulnerability impact me? :

This vulnerability allows high privilege users, such as administrators, to inject and execute malicious JavaScript code within the WordPress site. This can lead to Stored Cross-Site Scripting attacks, potentially compromising site security by executing unauthorized scripts in the context of users' browsers. Although the severity is rated low (CVSS 3.5), it can be exploited to perform actions like stealing session cookies, defacing the site, or redirecting users to malicious sites. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the Sticky Side Buttons WordPress plugin is installed and is a version prior to 2.0.0. Additionally, an admin user can test for the vulnerability by navigating to the plugin's settings in the WordPress admin panel, adding a button with the text `<script>alert(1)</script>`, saving it, and then refreshing the page to see if the JavaScript alert executes. There are no specific network or system commands provided to detect this vulnerability. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Sticky Side Buttons WordPress plugin to version 2.0.0 or later, where the vulnerability has been fixed. Additionally, restrict high privilege user access to the plugin settings to trusted administrators only. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart