During a security research I found an authenticated Stored XSS vulnerability. The name of the plugin is: WordPress Social Media Share Buttons plugin, the version of the affected plugin: < 3.8.1


Authenticated Stored Cross-Site Scripting (XSS) vulnerability 
discovered by Asif Nawaz Minhas (Patchstack Alliance) 
in WordPress Social Media Share Buttons plugin (versions <= 3.8.1).


on the left column go to MashShare > Settings.
Scroll down to shares.

Share Count Label use the following payload: 


Scroll down to Post Types and select the checkbox page too.
Scroll down a little bit more and select Frontpage to ON.
Now scroll all the way down and click on the blue button Save Changes. 
Log out of Wordpress and visit any page you like. 
Now you will see the stored XSS popping up.

Additional information

PATCHSTACK link: https://patchstack.com/database/vulnerability/mashsharer/wordpress-social-media-share-buttons-plugin-3-8-1-authenticated-stored-cross-site-scripting-xss-vulnerability


NIST LINK:https://nvd.nist.gov/vuln/detail/CVE-2021-36849

Plugin has more than 30,000+ active installations.