Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xkollsoftware Social2Blog social2blog allows Reflected XSS.This issue affects Social2Blog: from n/a through <= 0.2.990.
Published: 2025-01-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can inject malicious scripts into the web page by exploiting the Social2Blog plugin's failure to properly neutralize user input. The plugin reflects the supplied data directly back to the browser, so any embedded script will execute in the victim’s session. This can lead to session hijacking, cookie theft, or website defacement. The flaw is a classic CWE-79 reflected XSS.

Affected Systems

The vulnerability exists in the xkollsoftware Social2Blog plugin for WordPress, affecting all releases from the initial build through version 0.2.990. Users of this plugin on any WordPress installation are at risk until the plugin is updated beyond 0.2.990.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The issue is not listed in CISA KEV. The most likely attack vector involves an attacker crafting a URL or form that prompts a user to visit a maliciously constructed page, causing the injected script to run in the user's browser.

Generated by OpenCVE AI on May 1, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Social2Blog plugin to the latest release, which has the XSS fix, and verify that the version number is greater than 0.2.990.
  • If no newer release is available, uninstall or replace the Social2Blog plugin to remove the vulnerable code paths.
  • Implement a Content Security Policy that blocks inline scripts and/or use a WordPress security plugin to enforce input sanitization and escape all output that is echoed to the browser.

Generated by OpenCVE AI on May 1, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3194 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrea Dotta, Jacopo Campani, di xkoll.com Social2Blog allows Reflected XSS. This issue affects Social2Blog: from n/a through 0.2.990.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrea Dotta, Jacopo Campani, di xkoll.com Social2Blog allows Reflected XSS. This issue affects Social2Blog: from n/a through 0.2.990. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xkollsoftware Social2Blog social2blog allows Reflected XSS.This issue affects Social2Blog: from n/a through <= 0.2.990.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 21 Jan 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Jan 2025 17:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrea Dotta, Jacopo Campani, di xkoll.com Social2Blog allows Reflected XSS. This issue affects Social2Blog: from n/a through 0.2.990.
Title WordPress Social2Blog plugin <= 0.2.990 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:09.820Z

Reserved: 2025-01-16T11:24:55.800Z

Link: CVE-2025-23461

cve-icon Vulnrichment

Updated: 2025-01-21T18:36:08.052Z

cve-icon NVD

Status : Deferred

Published: 2025-01-21T18:15:16.387

Modified: 2026-06-17T08:54:33.380

Link: CVE-2025-23461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')