Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reputeinfosystems Social Share And Social Locker social-share-and-social-locker-arsocial allows Reflected XSS.This issue affects Social Share And Social Locker: from n/a through <= 1.4.1.
Published: 2025-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic reflected cross‑site scripting (XSS) flaw that allows an attacker to inject malicious JavaScript into pages rendered by the Social Share And Social Locker plugin. An attacker can craft a specially‑crafted URL that, when visited by a user with appropriate privileges, will execute arbitrary scripts in the victim’s browser. This can lead to session hijacking, theft of cookies, and redirection to malicious sites. The weakness is captured by CWE‑79.

Affected Systems

The flaw affects the Social Share And Social Locker plugin published by reputeinfosystems, version 1.4.1 and all earlier releases. Any WordPress site using this plugin without an upgrade to a newer, patched version is at risk.

Risk and Exploitability

The CVSS score of 7.1 reflects significant impact and a non‑restricted attack vector, while the EPSS score of less than 1 % indicates the exploitability probability is currently low but not negligible. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a malicious link that exploits the unneutralized user input; an attacker does not require authentication to deliver the payload.

Generated by OpenCVE AI on May 1, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Social Share And Social Locker to a version newer than 1.4.1
  • If an upgrade is not immediately possible, block or strip query parameters that the plugin uses for rendering shared links to prevent injection
  • Consider disabling the plugin or replacing it with an alternative while a patch is applied

Generated by OpenCVE AI on May 1, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14725 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Social Share And Social Locker allows Reflected XSS. This issue affects Social Share And Social Locker: from n/a through 1.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Social Share And Social Locker allows Reflected XSS. This issue affects Social Share And Social Locker: from n/a through 1.4.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reputeinfosystems Social Share And Social Locker social-share-and-social-locker-arsocial allows Reflected XSS.This issue affects Social Share And Social Locker: from n/a through <= 1.4.1.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 03 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Social Share And Social Locker allows Reflected XSS. This issue affects Social Share And Social Locker: from n/a through 1.4.1.
Title WordPress Social Share And Social Locker Plugin <= 1.4.1 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:15.871Z

Reserved: 2025-04-01T13:21:40.753Z

Link: CVE-2025-31902

cve-icon Vulnrichment

Updated: 2025-04-03T14:58:14.713Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:42.483

Modified: 2026-04-23T15:28:31.120

Link: CVE-2025-31902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:00:05Z

Weaknesses