A Cross‑Site Request Forgery vulnerability in the SSS plugin allows an attacker to create or modify data that is then rendered as stored XSS. The flaw is a classic CSRF weakness that lets an authenticated user unknowingly submit malicious content, which can be displayed to any who view that content. Once executed, the stored XSS could enable credential theft, session hijacking, or arbitrary code execution within the context of the plugin’s web interface, posing a benign to high impact on confidentiality, integrity and availability for affected sites.

Any WordPress site that has installed the Social Bookmarking RELOADED plugin in versions up to and including 3.18 is vulnerable. The vulnerability applies regardless of the version of WordPress or the theme in use; only the plugin version matters.

The CVSS profile assigns a score of 7.1, reflecting a moderate to high severity. The EPSS score is reported as less than 1%, suggesting that active exploitation may be unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves CSRF, so an exploiter would need an authenticated administrator session and the ability to trick the user into visiting a crafted link or loading a malicious image. The risk remains non‑zero, especially for sites that allow broad administrative access or do not enforce strict CSRF protections.