Skip to main content

Share Buttons Plugin CVE-2024-55982

CRITICAL
SQL Injection (CWE-89)
2024-12-16 audit@patchstack.com
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
CVSS changed
Apr 23, 2026 - 15:42 NVD
9.3 (CRITICAL)
CVE Published
Dec 16, 2024 - 15:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in richteam Share Buttons - Social Media rich-web-share-button allows Blind SQL Injection.This issue affects Share Buttons - Social Media: from n/a through <= 1.0.2.

AnalysisAI

Blind SQL injection in the WordPress 'Share Buttons - Social Media' plugin (rich-web-share-button) by richteam through version 1.0.2 allows remote unauthenticated attackers to extract database contents via crafted requests. With a CVSS 9.3 (changed scope) and EPSS at the 96th percentile (26.03%), this represents a high-priority WordPress ecosystem risk despite no public exploit being identified at the time of analysis.

Technical ContextAI

The flaw is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-supplied input flows into a SQL query without proper sanitization or parameterization. Because exploitation is blind, the attacker infers data through boolean or time-based side channels rather than receiving direct query output. The vulnerable component is a WordPress plugin distributed by richteam, designed to render social media share buttons, and the issue was disclosed through Patchstack's vulnerability disclosure program (audit@patchstack.com), which curates WordPress ecosystem CVEs.

Affected ProductsAI

The affected product is the WordPress plugin 'Share Buttons - Social Media' (slug: rich-web-share-button) by richteam, in all versions from initial release through and including 1.0.2. No CPE strings were provided in the input data, and no vendor advisory URL was provided beyond the Patchstack reporter attribution; defenders should consult the Patchstack database entry for this CVE to confirm the patched version and any vendor advisory.

RemediationAI

No vendor-released patch version is independently confirmed from the input data - the description only indicates the issue affects versions up to and including 1.0.2, so administrators should upgrade to any version greater than 1.0.2 once published by richteam and consult the Patchstack advisory for this CVE for the exact fix version. If a patched release is not yet available or cannot be deployed immediately, deactivate and remove the 'Share Buttons - Social Media' plugin (the trade-off is losing social-share functionality on the site, which can be replaced with a static HTML alternative), or place a WordPress-aware WAF rule in front of the site to block SQL injection patterns against the plugin's endpoints (with the trade-off of false positives on legitimate content containing SQL-like strings). Restricting plugin endpoints via web server rules to authenticated administrative IPs is generally not viable because the plugin serves front-end visitors.

Share

CVE-2024-55982 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy