Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WarfarePlugins Social Warfare social-warfare allows DOM-Based XSS.This issue affects Social Warfare: from n/a through <= 4.5.5.
Published: 2025-02-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input sanitization flaw in the Social Warfare WordPress plugin allows a malicious user to inject script code that is executed in the victim’s browser when a processed page is viewed. This DOM‑based XSS can be used to steal user cookies, deface content, or deliver further phishing payloads, and is catalogued as CWE‑79. The vulnerability is limited to client‑side code execution and does not provide direct server‑side compromise.

Affected Systems

WordPress sites that have the WarfarePlugins Social Warfare plugin installed, specifically versions up through and including 4.5.5. Any site that has not upgraded past this version remains exposed to the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of < 1% signals that exploitation is considered unlikely at present, and the flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a crafted web request that reaches the vulnerable plugin, and the victim must subsequently open a page that renders the unsanitized input – a typical DOM‑based XSS attack vector. No additional prerequisites beyond the vulnerable plugin and active user interaction are reported.

Generated by OpenCVE AI on May 1, 2026 at 15:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Social Warfare plugin to a version newer than 4.5.5 that contains the XSS patch. This removes the rooted injection point entirely.
  • If an update cannot be made immediately, disable or uninstall the Social Warfare plugin to eliminate the attack surface. This stops any rendering of the vulnerable code paths.
  • After applying the patch or disabling the plugin, review and remove any remaining widgets, shortcodes, or custom settings that may still inject unfiltered content, and verify that the site’s front‑end no longer displays the vulnerable code paths.

Generated by OpenCVE AI on May 1, 2026 at 15:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4424 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WarfarePlugins Social Warfare allows DOM-Based XSS. This issue affects Social Warfare: from n/a through 4.5.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WarfarePlugins Social Warfare allows DOM-Based XSS. This issue affects Social Warfare: from n/a through 4.5.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WarfarePlugins Social Warfare social-warfare allows DOM-Based XSS.This issue affects Social Warfare: from n/a through <= 4.5.5.
Title WordPress Social Warfare Plugin <= 4.5.4 - Cross Site Scripting (XSS) vulnerability WordPress Social Warfare Plugin <= 4.5.5 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WarfarePlugins Social Warfare allows DOM-Based XSS. This issue affects Social Warfare: from n/a through 4.5.4.
Title WordPress Social Warfare Plugin <= 4.5.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Warfareplugins Social Warfare
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:45.779Z

Reserved: 2025-02-17T11:51:40.975Z

Link: CVE-2025-26973

cve-icon Vulnrichment

Updated: 2025-02-24T14:31:29.664Z

cve-icon NVD

Status : Deferred

Published: 2025-02-22T16:15:32.347

Modified: 2026-04-23T15:26:09.980

Link: CVE-2025-26973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T16:00:16Z

Weaknesses