WP-Safety

Hubbub Lite – Fast, free social sharing and follow buttons Security & Risk Analysis

wordpress.org/plugins/social-pug

Your content is worth sharing. Let's makes it easier!

30K active installs v1.36.3 PHP 7.2.24+ WP 5.3+ Updated Dec 9, 2025
social-buttonssocial-mediasocial-networksocial-sharesocial-sharing
92
A · Safe
CVEs total9
Unpatched0
Last CVENov 5, 2025
Plugin page Download
Safety Verdict

Is Hubbub Lite – Fast, free social sharing and follow buttons Safe to Use in 2026?

Generally Safe

Score 92/100

Hubbub Lite – Fast, free social sharing and follow buttons has a strong security track record. Known vulnerabilities have been patched promptly.

9 known CVEsLast CVE: Nov 5, 2025Updated 3mo ago
Risk Assessment

The social-pug plugin, version 1.36.3, presents a mixed security posture. While it demonstrates good practices in certain areas, such as using prepared statements for all SQL queries and a significant number of nonce and capability checks, several concerning aspects warrant attention. The presence of 4 unprotected AJAX handlers significantly widens the attack surface, potentially allowing unauthorized users to trigger plugin functionalities. Furthermore, the use of the `unserialize` function twice raises concerns about deserialization vulnerabilities, especially if external input is being unserialized without proper validation. The plugin's vulnerability history is a notable weakness, with a history of 9 CVEs, including 1 high-severity vulnerability and 8 medium-severity ones. The common types of past vulnerabilities, such as Exposure of Sensitive Information, Deserialization of Untrusted Data, Cross-site Scripting, and Missing Authorization, directly correlate with the static analysis findings of unprotected AJAX handlers and the use of `unserialize`. While there are currently no unpatched CVEs and the last reported vulnerability was in the future (2025-11-05, likely a typo and should be in the past), the recurring pattern of these vulnerability types suggests a persistent need for more robust security controls. The 67% proper output escaping is also a moderate concern, leaving room for potential XSS vulnerabilities, although no critical or high taint flows were detected.

Key Concerns

  • 4 unprotected AJAX handlers
  • Use of unserialize function
  • 1 high severity CVE in history
  • 8 medium severity CVEs in history
  • 33% of outputs not properly escaped
  • Recurring vulnerability types found
Vulnerabilities
9

Hubbub Lite – Fast, free social sharing and follow buttons Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
1 CVE in 2021
2021
1 CVE in 2023
2023
3 CVEs in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
8

9 total CVEs

CVE-2025-12471medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hubbub Lite <= 1.36.0 - Reflected Cross-Site Scripting

Nov 5, 2025 Patched in 1.36.1 (1d)
CVE-2025-58007medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Hubbub Lite <= 1.35.1 - Authenticated (Subscriber+) Sensitive Information Exposure

Sep 22, 2025 Patched in 1.36.0 (17d)
CVE-2024-10145medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hubbub Lite <= 1.34.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 2, 2025 Patched in 1.34.4 (87d)
CVE-2024-2501high · 7.5Deserialization of Untrusted Data

Hubbub Lite – Fast, Reliable Social Network Sharing Buttons <= 1.33.1 - PHP Object Injection

Mar 27, 2024 Patched in 1.33.2 (14d)
CVE-2024-1526medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Hubbub Lite <= 1.31.0 - Unauthenticated Information Exposure

Mar 11, 2024 Patched in 1.33.1 (45d)
CVE-2023-7154medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hubbub Lite <= 1.31.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 11, 2024 Patched in 1.32.0 (27d)
CVE-2023-49193medium · 5.3Missing Authorization

Social Pug <= 1.30.0 - Missing Authorization via multiple admin_init actions

Dec 1, 2023 Patched in 1.30.1 (53d)
WF-d24c9310-5470-4d08-83b3-c801f4d25d3e-social-pugmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Grow Social <= 1.18.2 - Reflected Cross-Site Scripting

Jul 8, 2021 Patched in 1.19.0 (929d)
CVE-2016-10736medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Grow Social <= 1.2.5 - Reflected Cross-Site Scripting

Dec 9, 2016 Patched in 1.2.6 (2601d)
Code Analysis
Analyzed Mar 16, 2026

Hubbub Lite – Fast, free social sharing and follow buttons Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
2 prepared
Unescaped Output
204
414 escaped
Nonce Checks
12
Capability Checks
10
File Operations
0
External Requests
6
Bundled Libraries
2

Dangerous Functions Found

unserialize$output .= print_r( unserialize( $meta_value[0] ), true ); // @codingStandardsIgnoreLineinc\admin\admin-metaboxes.php:476
unserialize$counts = unserialize( $data );inc\class-share-count-url-counts.php:173

Bundled Libraries

TinyMCESelect2

SQL Query Safety

100% prepared2 total queries

Output Escaping

67% escaped618 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

11 flows4 with unsanitized paths
dpsp_refresh_share_counts (inc\admin\admin-metaboxes.php:494)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Hubbub Lite – Fast, free social sharing and follow buttons Attack Surface

Entry Points8
Unprotected4

AJAX Handlers 8

authwp_ajax_dpsp_refresh_share_countsinc\admin\admin-metaboxes.php:697
authwp_ajax_dpsp_refresh_all_share_countsinc\admin\admin-metaboxes.php:699
authwp_ajax_dpsp_ajax_get_hubbub_metaboxesinc\admin\submenu-page-dashboard.php:34
authwp_ajax_dpsp_ajax_dashboard_save_post_metainc\admin\submenu-page-dashboard.php:35
authwp_ajax_dpsp_ajax_lite_save_and_activate_licenseinc\class-social-pug.php:295
noprivwp_ajax_dpsp_ajax_lite_save_and_activate_licenseinc\class-social-pug.php:296
authwp_ajax_dpsp_activate_toolinc\functions-tools.php:337
authwp_ajax_dpsp_deactivate_toolinc\functions-tools.php:338
WordPress Hooks 153
actionadd_meta_boxesinc\admin\admin-metaboxes.php:696
actionsave_postinc\admin\admin-metaboxes.php:698
actionwidgets_initinc\admin\admin-widgets.php:16
actionadmin_menuinc\admin\submenu-page-dashboard.php:32
actionadmin_menuinc\admin\submenu-page-debugger.php:27
actionadmin_menuinc\admin\submenu-page-settings.php:124
actionadmin_initinc\admin\submenu-page-settings.php:125
filterpre_update_option_dpsp_settingsinc\admin\submenu-page-settings.php:126
actionupdate_option_dpsp_settingsinc\admin\submenu-page-settings.php:127
actionpre_update_option_dpsp_settingsinc\admin\submenu-page-settings.php:128
actionadmin_menuinc\admin\submenu-page-toolkit.php:27
actionupdate_option_dpsp_settingsinc\class-activation-lite.php:186
actionwp_loadedinc\class-activation-lite.php:187
actionupdate_option_dpsp_settingsinc\class-activation.php:187
actionwp_loadedinc\class-activation.php:188
actionadmin_noticesinc\class-admin-notices.php:32
actionadmin_noticesinc\class-admin-notices.php:33
actionadmin_noticesinc\class-admin-notices.php:34
actionadmin_noticesinc\class-admin-notices.php:35
actionadmin_initinc\class-admin-notices.php:41
actionadmin_initinc\class-admin-notices.php:45
actiondpsp_first_activationinc\class-admin-notices.php:48
filterremovable_query_argsinc\class-admin-notices.php:49
actionadmin_noticesinc\class-admin-notices.php:52
filterscript_loader_taginc\class-asset-loader.php:33
filterscript_loader_taginc\class-asset-loader.php:34
filterstyle_loader_taginc\class-asset-loader.php:35
actiondpsp_post_enqueue_frontend_scriptsinc\class-asset-loader.php:36
filterdpsp_get_post_titleinc\class-compatibility.php:43
filterdpsp_get_post_descriptioninc\class-compatibility.php:44
filterdpsp_get_post_image_datainc\class-compatibility.php:45
filtermv_grow_build_tagsinc\class-compatibility.php:46
filterjetpack_enable_opengraphinc\class-compatibility.php:252
filterjetpack_enable_open_graphinc\class-compatibility.php:253
filterwpseo_frontend_presentersinc\class-compatibility.php:256
actionmv_grow_plugin_activatedinc\class-data-sync.php:34
actionmv_grow_plugin_activatedinc\class-data-sync.php:35
actionmv_grow_plugin_updatedinc\class-data-sync.php:36
actionmv_grow_sync_datainc\class-data-sync.php:37
actionmv_grow_plugin_deactivatedinc\class-data-sync.php:38
actionmv_grow_plugin_deactivatedinc\class-data-sync.php:39
actionwp_footerinc\class-frontend-data.php:45
actionadmin_footerinc\class-frontend-data.php:46
filtermv_grow_frontend_datainc\class-frontend-data.php:47
filtermv_grow_frontend_datainc\class-frontend-data.php:48
filtermv_grow_frontend_datainc\class-frontend-data.php:49
filtermv_grow_frontend_admin_datainc\class-frontend-data.php:50
filtermv_grow_frontend_admin_datainc\class-frontend-data.php:51
filtermv_grow_frontend_admin_datainc\class-frontend-data.php:52
filtermv_grow_frontend_admin_datainc\class-frontend-data.php:53
filtermv_grow_frontend_admin_datainc\class-frontend-data.php:54
actionrest_api_initinc\class-settings-api.php:39
actionwp_headinc\class-share-counts.php:51
actiondpsp_update_post_share_countsinc\class-share-counts.php:52
filterdpsp_get_post_total_share_countinc\class-share-counts.php:53
filterdpsp_get_output_post_shares_countsinc\class-share-counts.php:54
filterdpsp_get_output_total_share_countinc\class-share-counts.php:55
filtermv_grow_scripts_should_enqueueinc\class-shortcodes.php:78
filterdpsp_get_output_post_shares_countsinc\class-shortcodes.php:234
filterdpsp_get_output_total_share_countinc\class-shortcodes.php:235
filtermv_grow_frontend_datainc\class-shortcodes.php:251
filtermv_grow_scripts_should_enqueueinc\class-shortcodes.php:294
filtermv_grow_scripts_should_enqueueinc\class-shortcodes.php:429
actionafter_setup_themeinc\class-social-pug.php:113
actionwp_headinc\class-social-pug.php:116
actionwpinc\class-social-pug.php:117
actionmv_grow_meta_tag_hookinc\class-social-pug.php:118
actionrest_api_initinc\class-social-pug.php:127
actioninitinc\class-social-pug.php:155
actionadmin_menuinc\class-social-pug.php:156
actionadmin_initinc\class-social-pug.php:157
actionadmin_menuinc\class-social-pug.php:158
actionadmin_enqueue_scriptsinc\class-social-pug.php:159
actionwp_enqueue_scriptsinc\class-social-pug.php:160
actionwp_enqueue_scriptsinc\class-social-pug.php:161
actionwp_footerinc\class-social-pug.php:162
actionadmin_initinc\class-social-pug.php:163
filterbody_classinc\class-social-pug.php:164
actionadmin_initinc\class-social-pug.php:167
filterrocket_delay_js_exclusionsinc\class-social-pug.php:170
filterperfmatters_delay_js_exclusionsinc\class-social-pug.php:173
actionadmin_initinc\class-social-pug.php:179
filteradmin_body_classinc\class-social-pug.php:182
filtersafe_style_cssinc\class-social-pug.php:187
actioninitinc\class-social-pug.php:191
actionwp_headinc\class-social-pug.php:224
filterupgrader_pre_installinc\class-social-pug.php:243
actionenqueue_block_editor_assetsinc\class-social-pug.php:246
actionenqueue_block_assetsinc\class-social-pug.php:249
actioninitinc\class-social-pug.php:267
filterthe_contentinc\class-social-pug.php:271
filterhubbub_save_this_the_contentinc\class-social-pug.php:272
filterquery_varsinc\class-social-pug.php:273
actiondpsp_submenu_page_bottominc\class-social-pug.php:284
actionadmin_menuinc\class-social-pug.php:285
filtermv_grow_is_freeinc\class-social-pug.php:286
filterpost_classinc\class-subscribe-widget.php:35
actionadmin_noticesinc\functions-admin.php:740
filterdpsp_network_buttons_outputter_settingsinc\functions-admin.php:741
actionadmin_initinc\functions-admin.php:742
actionpre_get_postsinc\functions-admin.php:743
actionsave_postinc\functions-admin.php:744
filtercron_schedulesinc\functions-cron.php:117
actiondpsp_cron_update_serial_key_statusinc\functions-cron.php:118
actiondpsp_cron_check_serial_key_statusinc\functions-cron.php:119
actiondpsp_cron_refresh_constant_contact_tokeninc\functions-cron.php:120
actiondpsp_update_databaseinc\functions-cron.php:121
filterdpsp_get_output_post_shares_countsinc\functions-frontend.php:237
filterdpsp_get_output_total_share_countinc\functions-frontend.php:238
actionwpinc\functions-post.php:490
filterdpsp_get_post_titleinc\functions-post.php:491
filterdpsp_get_post_descriptioninc\functions-post.php:492
filterdpsp_get_post_image_datainc\functions-post.php:493
filterdpsp_get_active_networksinc\functions.php:767
filterdpsp_is_location_displayableinc\functions.php:768
filtermv_grow_pinterest_ignore_selectorsinc\integrations\class-mv-create.php:36
filtermv_trellis_css_allowlistinc\integrations\class-mv-trellis.php:48
filtertha_aside_before_entry_contentinc\integrations\class-mv-trellis.php:76
filtertha_aside_after_entry_contentinc\integrations\class-mv-trellis.php:77
filtertha_entry_beforeinc\integrations\class-mv-trellis.php:79
filtertha_entry_afterinc\integrations\class-mv-trellis.php:80
filtermv_grow_scripts_should_enqueueinc\tools\follow-widget\class-dpsp-social-media-follow-buttons.php:35
filterdpsp_output_inline_styleinc\tools\follow-widget\class-follow-widget.php:27
actionwidgets_initinc\tools\follow-widget\follow-widget.php:26
filterdpsp_get_toolsinc\tools\follow-widget\follow-widget.php:27
actionadmin_menuinc\tools\follow-widget\follow-widget.php:28
actionadmin_initinc\tools\follow-widget\follow-widget.php:29
filterdpsp_output_inline_styleinc\tools\share-floating-sidebar\class-floating-sidebar.php:35
filtermv_grow_frontend_datainc\tools\share-floating-sidebar\class-floating-sidebar.php:36
actionwp_footerinc\tools\share-floating-sidebar\share-floating-sidebar.php:26
filterdpsp_get_toolsinc\tools\share-floating-sidebar\share-floating-sidebar.php:27
actionadmin_menuinc\tools\share-floating-sidebar\share-floating-sidebar.php:28
actionadmin_initinc\tools\share-floating-sidebar\share-floating-sidebar.php:29
filterdpsp_output_inline_styleinc\tools\share-inline-content\class-inline-content.php:32
filtermv_grow_frontend_datainc\tools\share-inline-content\class-inline-content.php:75
actionloop_startinc\tools\share-inline-content\functions-frontend.php:59
filterwoocommerce_short_descriptioninc\tools\share-inline-content\functions-frontend.php:65
filtermv_grow_frontend_datainc\tools\share-inline-content\functions-frontend.php:67
filtermv_grow_critical_styles_contentinc\tools\share-inline-content\functions-frontend.php:469
filterdpsp_get_toolsinc\tools\share-inline-content\share-inline-content.php:25
actionadmin_menuinc\tools\share-inline-content\share-inline-content.php:26
actionadmin_initinc\tools\share-inline-content\share-inline-content.php:27
filterdpsp_output_inline_styleinc\tools\share-sticky-bar\class-sticky-bar.php:34
filterdpsp_get_toolsinc\tools\share-sticky-bar\share-sticky-bar.php:26
actionwp_footerinc\tools\share-sticky-bar\share-sticky-bar.php:27
filterthe_contentinc\tools\share-sticky-bar\share-sticky-bar.php:28
filtermv_grow_frontend_datainc\tools\share-sticky-bar\share-sticky-bar.php:29
actionadmin_menuinc\tools\share-sticky-bar\share-sticky-bar.php:30
actionadmin_initinc\tools\share-sticky-bar\share-sticky-bar.php:31
filtermv_grow_scripts_should_enqueueinc\widgets\class-dpsp-top-shared-posts.php:36
actionadmin_noticesindex.php:24
actionadmin_headindex.php:25
actioninitindex.php:45

Scheduled Events 3

dpsp_cron_check_serial_key_status
dpsp_cron_refresh_constant_contact_token
dpsp_cron_refresh_constant_contact_token
Maintenance & Trust

Hubbub Lite – Fast, free social sharing and follow buttons Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 9, 2025
PHP min version7.2.24
Downloads2.0M

Community Trust

Rating94/100
Number of ratings172
Active installs30K
Alternatives

Hubbub Lite – Fast, free social sharing and follow buttons Alternatives

Simple Social Media Share Buttons – Social Sharing for Everyone

Simple Social Media Share Buttons – Social Sharing for Everyone

simple-social-buttons

A
97

This Social Share Plugin adds advanced social media sharing buttons to your WordPress sites, such as Facebook, WhatsApp, X, LinkedIn, & Pinterest.

20K 7 CVEs
Social Media Feather | social media sharing

Social Media Feather | social media sharing

social-media-feather

A
99

Lightweight, modern looking and effective social media sharing and profile buttons and icons. All your social media needs in 1 easy package!

20K 2 CVEs
WP Socializer – Simple & Easy Social Media Share Icons

WP Socializer – Simple & Easy Social Media Share Icons

wp-socializer

A
92

Simple & easy plugin to add social media sharing icons, buttons like Facebook, Twitter, WhatsApp, Instagram & more

10K 1 CVE
Easy Social Sharing

Easy Social Sharing

easy-social-sharing

A
85

Easy Social Sharing provides you with an easy way to display various popular social share buttons.

1K No CVEs
Social Icons Sticky

Social Icons Sticky

share-social-media

A
100

Add social sharing icons to a post or page of your WordPress website and allow visitors to share your content on various social media sites.

1K No CVEs
Developer Profile

Hubbub Lite – Fast, free social sharing and follow buttons Developer Profile

NerdPress

4 plugins · 191K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
328 days
View full developer profile
Detection Fingerprints

How We Detect Hubbub Lite – Fast, free social sharing and follow buttons

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/social-pug/inc/admin/feedback-form/assets/css/style-admin-feedback-form.css/wp-content/plugins/social-pug/inc/admin/feedback-form/assets/js/script-admin-feedback-form.js/wp-content/plugins/social-pug/assets/dist/dev-entry-jquery.css/wp-content/plugins/social-pug/assets/dist/dev-entry-jquery.js/wp-content/plugins/social-pug/assets/dist/dev-entry.css/wp-content/plugins/social-pug/assets/dist/dev-entry.js/wp-content/plugins/social-pug/assets/dist/style-frontend-pro-jquery.css/wp-content/plugins/social-pug/assets/dist/front-end-pro-jquery.js+1 more
Script Paths
/wp-content/plugins/social-pug/assets/dist/dev-entry-jquery.js/wp-content/plugins/social-pug/assets/dist/dev-entry.js/wp-content/plugins/social-pug/assets/dist/front-end-pro-jquery.js/wp-content/plugins/social-pug/assets/dist/front-end-free.js/wp-content/plugins/social-pug/assets/dist/front-end-pro.js
Version Parameters
social-pug/assets/dist/dev-entry-jquery.css?ver=social-pug/assets/dist/dev-entry-jquery.js?ver=social-pug/assets/dist/dev-entry.css?ver=social-pug/assets/dist/dev-entry.js?ver=social-pug/assets/dist/style-frontend-pro-jquery.css?ver=social-pug/assets/dist/front-end-pro-jquery.js?ver=social-pug/assets/dist/style-frontend-pro.css?ver=social-pug/assets/dist/front-end-free.js?ver=social-pug/assets/dist/front-end-pro.js?ver=

HTML / DOM Fingerprints

CSS Classes
mv-grow-styledpsp-frontend-js-prodpsp-frontend-style-prodpsp-style-feedbackdpsp-script-feedback
Data Attributes
data-noptimizedata-cfasync
JS Globals
dpsp_ajax_send_save_this_emaildpsp_token
FAQ

Frequently Asked Questions about Hubbub Lite – Fast, free social sharing and follow buttons