Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snapwidget SnapWidget Social Photo Feed Widget snapwidget-wp-instagram-widget allows DOM-Based XSS.This issue affects SnapWidget Social Photo Feed Widget: from n/a through <= 1.1.0.
Published: 2025-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation (CWE‑79) in the SnapWidget Social Photo Feed Widget plugin, which allows a DOM‑based cross‑site scripting flaw. An attacker can embed malicious scripts that run in the context of users who view the feed, potentially allowing session hijacking, defacement, or other client‑side compromises.

Affected Systems

The SnapWidget Social Photo Feed widget for WordPress, version 1.1.0 or earlier. Any WordPress installation that has the plugin installed in a site accessible through a browser is affected. No other WordPress core versions or plugins are mentioned as impacted.

Risk and Exploitability

The flaw carries a CVSS score of 6.5, indicating moderate severity, but the EPSS score is below 1 %, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is a publicly reachable website that hosts the plugin, where an attacker can supply malicious input that is reflected into the DOM and executed in browsers of site visitors. No authentication or privileged access is required for the containing page to trigger the vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SnapWidget Social Photo Feed Widget plugin to a version newer than 1.1.0.
  • If an upgrade is not immediately possible, remove or disable the plugin to eliminate the vulnerable code path.
  • Implement input sanitization or output encoding for the widget content, such as whitelisting allowed tags, to mitigate the XSS risk until a patch is applied.

Generated by OpenCVE AI on May 1, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9273 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snapwidget SnapWidget Social Photo Feed Widget allows DOM-Based XSS. This issue affects SnapWidget Social Photo Feed Widget: from n/a through 1.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snapwidget SnapWidget Social Photo Feed Widget allows DOM-Based XSS. This issue affects SnapWidget Social Photo Feed Widget: from n/a through 1.1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snapwidget SnapWidget Social Photo Feed Widget snapwidget-wp-instagram-widget allows DOM-Based XSS.This issue affects SnapWidget Social Photo Feed Widget: from n/a through <= 1.1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snapwidget SnapWidget Social Photo Feed Widget allows DOM-Based XSS. This issue affects SnapWidget Social Photo Feed Widget: from n/a through 1.1.0.
Title WordPress SnapWidget Social Photo Feed Widget plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:12.222Z

Reserved: 2025-04-01T13:19:38.349Z

Link: CVE-2025-31760

cve-icon Vulnrichment

Updated: 2025-04-01T20:32:31.909Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T15:16:12.670

Modified: 2026-04-23T15:28:14.223

Link: CVE-2025-31760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')