Improper neutralization of user input during web page generation allows a DOM‑based XSS flaw in the SnapWidget Social Photo Feed Widget. The vulnerability can enable an attacker to inject and execute arbitrary JavaScript in the browser context of any user who views the widget. This could lead to theft of session cookies, defacement of the site, or further phishing attempts delivered to legitimate visitors. The weakness is reflected in CWE‑79, indicating non‑recommendation of proper input validation and output encoding.

The SnapWidget Social Photo Feed Widget plugin versions up to and including 1.1.0 are affected. No further patch level information is provided, so all releases through 1.1.0 remain vulnerable.

The CVSS score of 6.5 signals a moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector appears to be DOM‑based XSS triggered through the plugin’s front‑end. An attacker would need to embed malicious payloads in the widget data or configuration, which can be executed automatically when the page loads in the victim’s browser. While the attack does not provide remote code execution on the server, it can subvert the user session and compromise confidentiality and integrity on the client side.