Description
AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execute when the plugin page is viewed, affecting all users who access the plugin interface.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AccessPress Social Icons 1.8.2 accepts icon title values from authenticated users without proper sanitization, allowing a malicious payload to be stored in the plugin data. When an attacker injects a JavaScript payload – for example, an image tag with an onerror handler – and saves the icon, the script will execute whenever the plugin page is rendered. The vulnerability potentially exposes all users who view the plugin interface to arbitrary client‑side code, enabling phishing, credential theft, or other browser‑based attacks.

Affected Systems

The affected system is any WordPress site running AccessPress Social Icons version 1.8.2. The plugin is distributed by Accesspressthemes and is installed as a WordPress plugin component. No other versions or products were listed as impacted by this CVE.

Risk and Exploitability

The CVSS score of 5.1 classifies the issue as medium severity. Exploit probability is not provided by EPSS, and the vulnerability is not listed in the CISA KEV catalog. The attack requires an authenticated user with permission to edit plugin icon settings; once a malicious title is stored, any user who views the affected page will experience the injected script. Because the effect is client‑side, it does not compromise the server or other users directly, but the risk of social engineering or further compromise is real.

Generated by OpenCVE AI on May 10, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AccessPress Social Icons to the latest released version, which removes the unsanitized icon title handling.
  • If an update is unavailable or the plugin is unnecessary, uninstall or disable it to eliminate the attack surface.
  • Configure a Content Security Policy on the WordPress site that disallows inline scripts and restricts script execution to trusted domains, mitigating the impact of any remaining stored script injection.

Generated by OpenCVE AI on May 10, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execute when the plugin page is viewed, affecting all users who access the plugin interface.
Title WordPress Plugin AccessPress Social Icons 1.8.2 Stored XSS
First Time appeared Accesspressthemes
Accesspressthemes accesspress Social Icons
Weaknesses CWE-79
CPEs cpe:2.3:a:accesspressthemes:accesspress_social_icons:1.8.2:*:*:*:*:wordpress:*:*
Vendors & Products Accesspressthemes
Accesspressthemes accesspress Social Icons
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Accesspressthemes Accesspress Social Icons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:44.569Z

Reserved: 2026-02-01T11:24:18.709Z

Link: CVE-2021-47910

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:27.890

Modified: 2026-05-10T13:16:27.890

Link: CVE-2021-47910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T14:45:14Z

Weaknesses