CVE-2025-10140
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | quick_social_login | 1.4.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Quick Social Login WordPress plugin (up to version 1.4.6) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape user-supplied attributes in its 'quick-login' shortcode. This allows authenticated users with contributor-level access or higher to inject malicious scripts into pages. These scripts then execute whenever any user views the affected page, potentially compromising site security.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with contributor-level access or above to inject arbitrary JavaScript into pages on your WordPress site. When other users visit these pages, the malicious scripts can execute in their browsers, potentially leading to session hijacking, defacement, theft of sensitive information, or further compromise of the website. Since the vulnerability is a stored XSS, the malicious code persists and affects all visitors to the injected pages.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the Quick Social Login plugin version 1.4.6 or earlier is installed and active on your WordPress site. Since the vulnerability is a Stored Cross-Site Scripting via the 'quick-login' shortcode, you can search your WordPress content for usage of the [quick-login] shortcode and inspect pages for injected scripts. There are no specific network commands provided to detect exploitation. However, you can use WordPress CLI commands to list installed plugins and their versions, for example: `wp plugin list --status=active` to check if Quick Social Login is active, and `wp post list --post_type=page,post --field=ID` combined with `wp post get <ID> --field=post_content` to search for the shortcode usage. Additionally, monitoring HTTP responses for unexpected script injections in pages using the shortcode can help detect exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or uninstalling the Quick Social Login plugin version 1.4.6 or earlier, as it has been removed from official download pending a security review. Avoid using the 'quick-login' shortcode until a patched version is released. Review and sanitize any content where the shortcode was used to remove potentially injected scripts. Additionally, restrict contributor-level and higher users from adding or editing content with the shortcode until the issue is resolved. Monitor your site for suspicious activity related to social login functionality. [1]