Description
The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-26
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-Site Scripting
Action: Patch Now
AI Analysis

Impact

The Widgets for Tiktok Feed plugin for WordPress is susceptible to stored cross‑site scripting through its 'trustindex-feed' shortcode. Because the plugin does not adequately sanitize or escape user‑supplied attributes, an authenticated user with contributor or higher privilege can inject malicious scripts that will run whenever a visitor loads a page containing the shortcode. This flaw corresponds to CWE‑79 and allows attackers to hijack sessions, deface content, or perform other client‑side attacks.

Affected Systems

All installations of the Widgets for Tiktok Feed plugin for WordPress with version numbers up to and including 1.7.3 are affected. The vulnerability is present on any site that uses this plugin in those versions.

Risk and Exploitability

The reported CVSS score of 6.4 ranks the flaw as moderate, while the EPSS score of less than 1% indicates a low current likelihood of exploitation. The flaw requires an authenticated contributor or higher role, meaning an attacker must first obtain sufficient permissions to add or edit the shortcode. Although not listed in the CISA KEV catalog, the combination of moderate severity and the need for elevated privileges means security teams should treat this as a noteworthy risk, especially on sites with open contributor access or shared hosting environments.

Generated by OpenCVE AI on April 22, 2026 at 14:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Widgets for Tiktok Feed plugin to the latest available version (1.7.4 or newer) to fix the sanitization issue.
  • Restrict contributor and other non‑admin roles from adding or editing content that uses the 'trustindex-feed' shortcode, or remove the shortcode from posts they can modify.
  • Implement a content‑security‑policy header that limits executable scripts to trusted origins, which mitigates the impact of any residual or unforeseen XSS payloads.

Generated by OpenCVE AI on April 22, 2026 at 14:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31204 The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 26 Sep 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Trustindex
Trustindex widgets For Tiktok Feed
Wordpress
Wordpress wordpress
Vendors & Products Trustindex
Trustindex widgets For Tiktok Feed
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 02:15:00 +0000

Type Values Removed Values Added
Description The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Widgets for Tiktok Feed <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Trustindex Widgets For Tiktok Feed
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:48.521Z

Reserved: 2025-08-12T19:59:58.661Z

Link: CVE-2025-8906

cve-icon Vulnrichment

Updated: 2025-09-26T19:20:58.754Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T02:15:52.670

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8906

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:30:18Z

Weaknesses