CVE-2021-47910
Stored XSS in AccessPress Social Icons Plugin
Publication date: 2026-05-10
Last updated on: 2026-05-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| accesspress | accesspress_social_icons | 1.8.2 |
| accesspress | accesspress_social_icons | to 1.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
AccessPress Social Icons 1.8.2 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious JavaScript code into the 'icon title' field.
When these malicious scripts are stored, they execute whenever the plugin page is viewed, potentially affecting all users who access the plugin interface.
This vulnerability arises from improper neutralization of input during web page generation, classified as CWE-79.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker to execute malicious scripts within the context of the plugin interface.
As a result, any user who views the affected plugin page could be exposed to these scripts, which might lead to unauthorized actions such as session hijacking, data theft, or other malicious activities.
The impact is limited to users who have access to the plugin interface, but it can compromise the security and integrity of the affected website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the 'icon title' field of the AccessPress Social Icons plugin interface. Since the vulnerability is a stored cross-site scripting (XSS), detection involves inspecting the plugin's stored data for suspicious script tags or event handlers such as 'onerror' in image tags.
Commands or methods to detect this vulnerability include:
- Using web application scanning tools to crawl the plugin pages and look for reflected or stored XSS payloads.
- Manually inspecting the database entries related to the plugin's 'icon title' field for suspicious JavaScript code.
- Using curl or wget commands to fetch the plugin page and grep for suspicious script tags or event handlers, for example:
- curl -s https://yourwordpresssite.com/wp-admin/admin.php?page=accesspress-social-icons | grep -iE '<script|onerror|javascript:'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict access to the plugin interface to trusted authenticated users only, minimizing the risk of attackers injecting malicious scripts.
- Remove or sanitize any suspicious or malicious entries in the 'icon title' field within the plugin settings or database.
- Disable or uninstall the AccessPress Social Icons plugin, especially since it was removed from the WordPress Plugin Directory and is no longer maintained.
- Consider replacing the plugin with a maintained alternative that does not have this vulnerability.
- Apply web application firewall (WAF) rules to block common XSS payloads targeting this plugin.