vulnerability

WordPress Plugin: sassy-social-share: CVE-2021-39321: Deserialization of Untrusted Data

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:P/I:P/A:P)	Oct 21, 2021	May 15, 2025	Jul 9, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

Oct 21, 2021

Added

May 15, 2025

Modified

Jul 9, 2025

Description

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function.

Solution

sassy-social-share-plugin-cve-2021-39321

References

URL-https://www.cve.org/CVERecord?id=CVE-2021-39321
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/ddb7b668-f023-427e-9ab5-90dc6d481028?source=api-prod
CVE-2021-39321
https://attackerkb.com/topics/CVE-2021-39321
CWE-863
CWE-502

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today