In early 2024, a security flaw was identified in the popular WordPress plugin Simple Social Media Share Buttons, used on thousands of websites to enhance social media engagement. The vulnerability, now tracked as CVE-2024-13610, allows attackers to inject persistent JavaScript (Stored XSS) into the admin panel via the YouTube Channel ID field inside the widget settings. In the worst-case scenario, this could lead to the creation of backdoor admin accounts, full site compromise, or even malware distribution to site visitors.
| CVE | CVE-2024-13610 |
| Plugin | Simple Social Media Share Buttons < 6.0.0 |
| Critical | High |
| All Time | 1 279 996 |
| Active installations | 20 000+ |
| Publicly Published | April 07, 2025 |
| Last Updated | April 07, 2025 |
| Researcher | Artyom Krugov |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13610 https://wpscan.com/vulnerability/85229528-1110-4d45-b972-8bbcba003a1f/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| December 24, 2024 | Plugin testing and vulnerability detection in the Simple Social Media Share Buttons have been completed |
| December 24, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 07, 2025 | Registered CVE-2024-13610 |
Discovery of the Vulnerability
The vulnerability was discovered during a routine security audit of the plugin version below 6.0.0. The issue resides in the way the plugin handles user input when configuring the “Social Follow” widget in the Appearance > Widgets section of WordPress.
When selecting YouTube as the social channel, the Channel ID field fails to sanitize or escape user input properly. This allows attackers to inject arbitrary JavaScript code, which is then executed in the context of the admin dashboard, creating a Stored Cross-Site Scripting (XSS) vector.
Understanding of XSS attack’s
Stored XSS (also called persistent XSS) occurs when a malicious script is injected into a website and stored on the server — in a database, comment, widget setting, or other persistent storage — and later displayed in the browser without sanitization.
In WordPress environments, Stored XSS is particularly dangerous due to the widespread use of plugins and themes that manage content inputs dynamically. A typical real-world scenario might include:
- Malicious code injected into a comment or widget.
- Script executed when an admin visits a particular backend page.
- The payload steals the admin’s session or performs actions on their behalf using the same CSRF token/session.
Exploiting the XSS Vulnerability
To exploit CVE-2024-13610:
POC:
1) Login to WordPress as a user with access to Appearance settings (Contributor or Editor roles may sometimes suffice depending on site config). 2) Navigate to Appearance > Widgets. 3) Select the Social Follow Widget and choose YouTube. 4) Insert the following payload XSS into the YouTube Channel ID field 5) Save the widget____
When an administrator views the widget area in the backend, the script executes, displaying an alert or — in real attacks — running malicious code to:
- Steal cookies or session tokens.
- Create unauthorized admin users via background requests.
- Redirect the admin to malicious sites.
- Load crypto miners or phishing interfaces.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-13610, administrators should immediately update the Simple Social Media Share Buttons plugin to version 6.0.0 or later, ensure all widget inputs (such as the YouTube Channel ID field) are properly sanitized and validated, implement a strict Content Security Policy (CSP) to reduce the impact of XSS attacks, limit permissions for non-admin users who can access Appearance settings, regularly audit user roles and capabilities, and leverage WordPress sanitization functions like sanitize_text_field() and esc_attr() to prevent injection of malicious code into stored settings. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-13610, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #Vulnerability
Use CleanTalk solutions to improve the security of your website
Artyom k.