CVE-2026-5425
Stored XSS in Widgets for Social Photo Feed Plugin Allows Script Injection
Publication date: 2026-04-04
Last updated on: 2026-04-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trustindex | feed_wordpress_plugin | to 1.8 (exc) |
| trustindex | social_photo_feed_widget | to 1.7.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2026-5425 affects the Widgets for Social Photo Feed plugin for WordPress, specifically versions up to and including 1.7.9. It is a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient input sanitization and output escaping of the 'feed_data' parameter keys.
This flaw allows unauthenticated attackers to inject arbitrary web scripts into pages that display the social media feeds. These malicious scripts execute whenever a user accesses the infected page, potentially compromising user data or site integrity.
Additionally, the plugin disables SSL verification on multiple remote requests, uses a hardcoded secret key for HMAC signing, and has weak error handling, which together increase the risk of man-in-the-middle attacks, data manipulation, and denial of service.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts into your WordPress site pages that use the vulnerable plugin. These scripts can execute in the browsers of your site visitors without their knowledge.
- Compromise of user data through theft of cookies or session tokens.
- Defacement or unauthorized modification of website content.
- Potential spread of malware or phishing attacks via injected scripts.
- Disruption of service due to error handling that can cause the plugin to terminate execution unexpectedly.
- Exposure to man-in-the-middle attacks because of disabled SSL verification in plugin communications.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Widgets for Social Photo Feed WordPress plugin versions up to and including 1.7.9. Detection involves identifying if the vulnerable plugin version is installed and checking for suspicious or injected scripts in the 'feed_data' parameter keys.
Since the vulnerability allows unauthenticated attackers to inject arbitrary web scripts, monitoring HTTP requests and responses for unusual or unexpected script content in pages served by the plugin can help detect exploitation attempts.
You can detect the vulnerable plugin version by running commands on the server hosting WordPress to check the installed plugin version, for example:
- Using WP-CLI to check plugin version: wp plugin list | grep social-photo-feed-widget
- Manually inspecting the plugin's main PHP file for version info, e.g., grep 'Version' wp-content/plugins/social-photo-feed-widget/social-photo-feed-widget.php
To detect potential exploitation, you can search web server logs for suspicious payloads or script injections targeting the 'feed_data' parameter, for example:
- grep -i 'feed_data' /var/log/apache2/access.log | grep -E '<script|javascript:'
- Using network monitoring tools to inspect HTTP traffic for injected scripts in responses from pages using the plugin.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the Widgets for Social Photo Feed plugin to version 1.8 or later, where the vulnerability has been addressed.
Additional immediate steps include:
- Disable or remove the vulnerable plugin if an update is not immediately possible.
- Implement Web Application Firewall (WAF) rules to block requests containing suspicious 'feed_data' parameter payloads.
- Monitor and sanitize inputs and outputs related to the plugin to prevent stored cross-site scripting.
- Ensure SSL verification is enabled for all remote requests to prevent man-in-the-middle attacks, as the plugin disables SSL verification by default.
Finally, review and harden the plugin's configuration and WordPress security settings to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Widgets for Social Photo Feed plugin allows unauthenticated attackers to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized access or manipulation of user data when users access the injected pages.
Such unauthorized script execution can compromise the confidentiality and integrity of personal data processed or displayed by the affected WordPress sites.
Consequently, this vulnerability may lead to non-compliance with data protection regulations like GDPR and HIPAA, which require appropriate safeguards against unauthorized access and data breaches.
Additionally, the pluginβs disabling of SSL verification in multiple remote requests weakens transport security, increasing the risk of man-in-the-middle attacks that could further expose sensitive data.