プラットフォーム
wordpress
コンポーネント
social-photo-feed-widget
修正版
1.7.10
CVE-2026-5425 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Widgets for Social Photo Feed plugin for WordPress. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially compromising user accounts and website functionality. The vulnerability affects versions from 0.0.0 up to and including 1.7.9. A fix is available in version 1.8.0.
Successful exploitation of CVE-2026-5425 allows an attacker to inject malicious JavaScript code into pages viewed by other users. This can lead to various consequences, including session hijacking, defacement of the website, redirection to malicious sites, and theft of sensitive information like cookies and login credentials. The attacker could potentially gain control of user accounts if they are tricked into interacting with the injected script. The impact is amplified if the plugin is widely used and integrated into critical website functions, potentially affecting a large user base.
CVE-2026-5425 was publicly disclosed on 2026-04-04. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a PoC will emerge. It is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the plugin's potential popularity, suggests a medium probability of exploitation.
Websites using the Widgets for Social Photo Feed plugin, particularly those with a large user base or that handle sensitive user data, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially affect others.
• wordpress / composer / npm:
grep -r 'feed_data' /var/www/html/wp-content/plugins/widgets-for-social-photo-feed/• wordpress / composer / npm:
wp plugin list --status=active | grep 'widgets-for-social-photo-feed'• generic web: Check website pages for unusual JavaScript behavior or unexpected redirects. • generic web: Review WordPress error logs for suspicious activity related to the plugin.
disclosure
エクスプロイト状況
EPSS
0.08% (24% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-5425 is to immediately upgrade the Widgets for Social Photo Feed plugin to version 1.8.0 or later. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent further exploitation. As a secondary measure, implement a Web Application Firewall (WAF) with rules to filter out suspicious input containing potentially malicious JavaScript code within the 'feed_data' parameter. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
バージョン 1.8.0 以上、または最新の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-5425 is a Stored XSS vulnerability in the Widgets for Social Photo Feed WordPress plugin, allowing attackers to inject malicious scripts.
If you are using Widgets for Social Photo Feed version 0.0.0 through 1.7.9, you are vulnerable. Upgrade to 1.8.0 or later.
Upgrade the Widgets for Social Photo Feed plugin to version 1.8.0 or later. Temporarily disable the plugin if upgrading is not immediately possible.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that it will be exploited. Monitor your website for suspicious activity.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。