Description
The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-11-08
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS)
Action: Patch Plugin
AI Analysis

Impact

The WP2Social Auto Publish plugin for WordPress contains a reflected cross‑site scripting vulnerability that is triggered through PostMessage when inputs are not properly sanitized or escaped. An unauthenticated attacker can inject arbitrary JavaScript that will run in the victim’s browser when a user clicks a malicious link, potentially allowing credential theft, site defacement, or session hijacking.

Affected Systems

All versions of the WP2Social Auto Publish plugin up to 2.4.7, distributed by f1logic, are affected. This includes every WordPress site that has installed these plugin versions.

Risk and Exploitability

The CVSS score of 6.1 denotes moderate severity, and the EPSS score is under 1 %, indicating a low probability of exploitation in the wild. The vulnerability does not require elevated privileges and depends on user interaction, so attackers rely on social engineering or malicious links. Although it is not listed in the CISA KEV catalog, site owners should treat the flaw as a legitimate threat because of its ability to compromise all users who visit a crafted URL.

Generated by OpenCVE AI on April 22, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP2Social Auto Publish plugin to the latest available release (2.4.8 or newer) where the XSS issue has been fixed.
  • If an update is not yet possible, disable the PostMessage functionality within the plugin or remove the plugin entirely to eliminate the attack surface.
  • Implement a Content Security Policy that restricts inline scripts and blocks the execution of unexpected JavaScript to mitigate potential XSS exploitation.

Generated by OpenCVE AI on April 22, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared F1logic
F1logic wpsocial Auto Publish
Wordpress
Wordpress wordpress
Vendors & Products F1logic
F1logic wpsocial Auto Publish
Wordpress
Wordpress wordpress

Sat, 08 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WP2Social Auto Publish <= 2.4.7 - Reflected Cross-Site Scripting via PostMessage
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

F1logic Wpsocial Auto Publish
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:26.159Z

Reserved: 2025-10-22T13:08:06.371Z

Link: CVE-2025-12064

cve-icon Vulnrichment

Updated: 2025-11-10T20:00:12.699Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T04:15:44.117

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:15:16Z

Weaknesses