Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through < 10.7.1.
Published: 2025-11-06
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Social Share Buttons plugin contains an improper neutralization of input during web page generation. An attacker can supply malicious payloads that are reflected in the page without adequate sanitization, enabling execution of arbitrary JavaScript when users visit the site. This can lead to credential theft, session hijacking, or distribution of malware, affecting the confidentiality and integrity of users’ data.

Affected Systems

WordPress sites installing appscreo Easy Social Share Buttons version lower than 10.7.1 are impacted. No specific WordPress core or theme versions are mentioned, but the vulnerability exists in all installations of the plugin up to the noted release.

Risk and Exploitability

The CVSS base score of 7.1 classifies this as High severity. The EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation at this time. The vulnerability is not listed in CISA KEV, suggesting limited current exploitation activity. The attack path is a reflected XSS that requires an attacker to convince a user to click a crafted link or visit a malicious page that includes the plugin’s vulnerable rendering. Once the user’s browser executes the script, the attacker gains the user’s privileges in the WordPress context.

Generated by OpenCVE AI on April 29, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Social Share Buttons to version 10.7.1 or later
  • If an upgrade is not currently feasible, disable the plugin or remove its shortcodes from all pages until the upgrade can be applied
  • Ensure site-wide input validation and output sanitization by applying WordPress escape functions and nonces to prevent user input from affecting rendered pages

Generated by OpenCVE AI on April 29, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Appscreo
Appscreo easy Social Share Buttons
Wordpress
Wordpress wordpress
Vendors & Products Appscreo
Appscreo easy Social Share Buttons
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through < 10.7.1.
Title WordPress Easy Social Share Buttons plugin < 10.7.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Appscreo Easy Social Share Buttons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:23:47.001Z

Reserved: 2025-10-29T03:07:04.006Z

Link: CVE-2025-64198

cve-icon Vulnrichment

Updated: 2025-11-06T16:30:45.892Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:13.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:15:19Z

Weaknesses