Plateforme
wordpress
Composant
social-photo-feed-widget
Corrigé dans
1.7.10
CVE-2026-5425 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Widgets for Social Photo Feed plugin for WordPress. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising user accounts and website functionality. The vulnerability affects versions from 0.0.0 up to and including 1.7.9. A fix is available in version 1.8.0.
Successful exploitation of CVE-2026-5425 allows an attacker to inject malicious JavaScript code into pages viewed by other users. This can lead to various consequences, including session hijacking, defacement of the website, redirection to malicious sites, and theft of sensitive information like cookies and login credentials. The attacker could potentially gain control of user accounts if they are tricked into interacting with the injected script. The impact is amplified if the plugin is widely used and integrated into critical website functions, potentially affecting a large user base.
CVE-2026-5425 was publicly disclosed on 2026-04-04. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the plugin's potential popularity, suggests a medium probability of exploitation.
Websites using the Widgets for Social Photo Feed plugin, particularly those with a large user base or that handle sensitive user data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially affect others.
• wordpress / composer / npm:
grep -r 'feed_data' /var/www/html/wp-content/plugins/widgets-for-social-photo-feed/• wordpress / composer / npm:
wp plugin list --status=active | grep 'widgets-for-social-photo-feed'• generic web: Check website pages for unusual JavaScript behavior or unexpected redirects. • generic web: Review WordPress error logs for suspicious activity related to the plugin.
disclosure
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-5425 is to immediately upgrade the Widgets for Social Photo Feed plugin to version 1.8.0 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent further exploitation. As a secondary measure, implement a Web Application Firewall (WAF) with rules to filter out suspicious input containing potentially malicious JavaScript code within the 'feed_data' parameter. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Mettre à jour vers la version 1.8.0, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-5425 is a Stored XSS vulnerability in the Widgets for Social Photo Feed WordPress plugin, allowing attackers to inject malicious scripts.
If you are using Widgets for Social Photo Feed version 0.0.0 through 1.7.9, you are vulnerable. Upgrade to 1.8.0 or later.
Upgrade the Widgets for Social Photo Feed plugin to version 1.8.0 or later. Temporarily disable the plugin if upgrading is not immediately possible.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that it will be exploited. Monitor your website for suspicious activity.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.