CVE-2025-10166
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| michael_beckwith | social_media_shortcodes | 1.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Social Media Shortcodes WordPress plugin, specifically in the 'twitter' shortcode up to version 1.3.1. It occurs because the plugin does not properly sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject malicious scripts. These scripts then execute whenever any user views the affected page, potentially compromising user security. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with contributor-level access or higher to inject arbitrary JavaScript into pages via the 'twitter' shortcode. When other users visit these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or other malicious actions. This compromises the security and integrity of the affected WordPress site and its users. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the WordPress site is using the Social Media Shortcodes plugin version 1.3.1 or earlier, as these versions are vulnerable. You can check the installed plugin version via the WordPress admin dashboard or by inspecting the plugin files. Additionally, you can search for usage of the 'twitter' shortcode in posts or pages that might contain malicious script injections. There are no specific network commands provided, but on the server, you can run commands to check the plugin version, for example: `grep 'Version:' wp-content/plugins/social-media-shortcodes/social_media_shortcode_plugin.php` or use WP-CLI: `wp plugin get social-media-shortcodes --field=version`. To detect potential exploitation, review posts/pages for suspicious shortcode attributes containing script tags or unusual content. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Social Media Shortcodes plugin to version 1.3.2 or later, which includes security fixes that properly escape user input and prevent stored cross-site scripting attacks. If updating is not immediately possible, restrict contributor-level access to trusted users only, and audit existing content for injected scripts in shortcode attributes. Applying the update ensures that escaping functions like esc_url(), esc_attr(), and esc_html() are used to sanitize all dynamic content in the plugin's output. [1]