{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-5425/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-5425"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","cve-2026-5425","plugin"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Widgets for Social Photo Feed plugin for WordPress, versions up to and including 1.7.9, contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-5425). This vulnerability stems from insufficient input sanitization and output escaping of the \u0026lsquo;feed_data\u0026rsquo; parameter keys. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript code into the WordPress database. When a user visits a page containing a vulnerable widget, the injected script executes within their browser, potentially leading to session hijacking, account takeover, or other malicious activities. This vulnerability was reported by Wordfence and patched in version 1.8 of the plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 1.7.9) of the Widgets for Social Photo Feed plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the plugin\u0026rsquo;s functionality that handles the \u003ccode\u003efeed_data\u003c/code\u003e parameter. This request contains XSS payload within the parameter keys.\u003c/li\u003e\n\u003cli\u003eThe WordPress server receives the crafted HTTP request. The vulnerable plugin processes the request without proper input sanitization or output escaping.\u003c/li\u003e\n\u003cli\u003eThe malicious XSS payload is stored in the WordPress database, associated with the plugin\u0026rsquo;s settings or data.\u003c/li\u003e\n\u003cli\u003eA legitimate user visits a page on the WordPress site where the affected widget is displayed.\u003c/li\u003e\n\u003cli\u003eThe WordPress server retrieves the plugin data, including the stored XSS payload, from the database.\u003c/li\u003e\n\u003cli\u003eThe server renders the page with the unsanitized XSS payload embedded within the HTML output.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser receives the HTML page containing the malicious script and executes it. This could lead to redirection, information theft, or further compromise of the user\u0026rsquo;s session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in the context of a website user\u0026rsquo;s browser. This can result in session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive information. While the exact number of vulnerable installations is not available, the widespread use of WordPress plugins makes this a potentially significant threat, particularly for sites that do not promptly apply security updates.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Widgets for Social Photo Feed plugin to version 1.8 or later to patch CVE-2026-5425.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect WordPress Social Photo Feed XSS Attempt\u003c/code\u003e to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to filter out requests containing potentially malicious JavaScript code in the \u003ccode\u003efeed_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T09:16:20Z","date_published":"2026-04-04T09:16:20Z","id":"/briefs/2026-04-wordpress-xss/","summary":"The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.","title":"WordPress Widgets for Social Photo Feed Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-5425","version":"https://jsonfeed.org/version/1.1"}