Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh Prasad Showeblogin Social showeblogin-facebook-page-like-box allows DOM-Based XSS.This issue affects Showeblogin Social: from n/a through <= 7.0.
Published: 2025-04-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the plugin’s failure to neutralize user-supplied input before rendering it in the browser. This DOM-based XSS allows an attacker to inject malicious scripts that execute in the browsers of visitors who access the affected page, potentially leading to credential theft, session hijacking, page defacement or arbitrary code execution within the user’s context.

Affected Systems

The flaw exists in the Showeblogin Social plugin for WordPress, authored by Suresh Prasad. All installations of the plugin with versions from the earliest release through 7.0 are affected. Administrators should verify the installed plugin version and consider upgrading, replacing or uninstalling the plugin.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to supply a malicious input that is interpreted by the plugin’s JavaScript in the victim’s browser; the most likely attack vector is a crafted link or page that prompts the user to visit, triggering the DOM-based XSS. This flaw relies on the victim’s browser environment and does not require privileged server access.

Generated by OpenCVE AI on May 1, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Showeblogin Social plugin to a version newer than 7.0 or uninstall it if no update is available.
  • Deploy a Content Security Policy that disallows execution of inline scripts on pages containing the plugin.
  • If upgrading or removing is not feasible, sandbox the plugin content with an iframe and enforce a restrictive CSP to block injected scripts.

Generated by OpenCVE AI on May 1, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9858 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh Prasad Showeblogin Social allows DOM-Based XSS. This issue affects Showeblogin Social: from n/a through 7.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh Prasad Showeblogin Social allows DOM-Based XSS. This issue affects Showeblogin Social: from n/a through 7.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh Prasad Showeblogin Social showeblogin-facebook-page-like-box allows DOM-Based XSS.This issue affects Showeblogin Social: from n/a through <= 7.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh Prasad Showeblogin Social allows DOM-Based XSS. This issue affects Showeblogin Social: from n/a through 7.0.
Title WordPress Showeblogin Social plugin <= 7.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:18.107Z

Reserved: 2025-04-04T10:01:05.033Z

Link: CVE-2025-32169

cve-icon Vulnrichment

Updated: 2025-04-04T19:54:18.250Z

cve-icon NVD

Status : Deferred

Published: 2025-04-04T16:15:25.683

Modified: 2026-04-23T15:28:41.263

Link: CVE-2025-32169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:45:05Z

Weaknesses