Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget wp-social-widget allows Stored XSS.This issue affects WP Social Widget: from n/a through <= 2.3.
Published: 2025-06-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Social Widget plugin contains an improper neutralization of input during web page generation, which allows an attacker to store malicious JavaScript. When a user views content rendered by the plugin, the injected script runs in their browser, potentially exposing session cookies, defacing pages, or redirecting to malicious sites. This stored XSS flaw compromises confidentiality, integrity, and availability of the user experience for anyone who visits affected pages.

Affected Systems

The vulnerability affects the WordPress plugin WP Social Widget from the vendor catchsquare. Any installation of the plugin with version numbers up to and including 2.3 is impacted. No specific WordPress core or other component versions are referenced; the issue resides solely within the plugin itself.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can submit content via the plugin’s administrative interface so that the script is stored in the database. Once stored, any viewer of the rendered page will have the script executed in their browser. In environments where the plugin is used publicly or with high traffic, the impact could be amplified.

Generated by OpenCVE AI on April 30, 2026 at 11:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Social Widget to the latest version available (any release newer than 2.3); this uninstalls the vulnerable code and applies proper input sanitization.
  • If an update is not immediately available, disable or remove the WP Social Widget plugin to eliminate the attack surface.
  • Configure a strict Content Security Policy for the WordPress site to block inline scripts, which can reduce the impact of any residual XSS vectors.

Generated by OpenCVE AI on April 30, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17262 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget wp-social-widget allows Stored XSS.This issue affects WP Social Widget: from n/a through <= 2.3.
Title WordPress WP Social Widget <= 2.3 - Cross Site Scripting (XSS) Vulnerability WordPress WP Social Widget plugin <= 2.3 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:catchsquare:wp_social_widget:*:*:*:*:*:wordpress:*:*

Fri, 06 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Jun 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.3.
Title WordPress WP Social Widget <= 2.3 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Catchsquare Wp Social Widget
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.786Z

Reserved: 2025-06-04T09:42:00.389Z

Link: CVE-2025-49306

cve-icon Vulnrichment

Updated: 2025-06-06T15:39:14.939Z

cve-icon NVD

Status : Modified

Published: 2025-06-06T13:15:46.303

Modified: 2026-04-23T15:31:25.883

Link: CVE-2025-49306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:00:12Z

Weaknesses