Description
The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS via authenticated contributor+ access
Action: Patch Now
AI Analysis

Impact

The Heateor Login – Social Login Plugin is vulnerable to stored cross‑site scripting through its 'Heateor_Facebook_Login' shortcode. The plugin does not sanitize or escape user‑supplied attributes, allowing an attacker who is authenticated with contributor level access or higher to inject arbitrary JavaScript. When a site visitor views a page containing the malicious shortcode, the injected script runs in the visitor’s browser.

Affected Systems

WordPress sites that have the Heateor Login – Social Login Plugin version 1.1.9 or earlier installed are affected. The vulnerability applies to any page that contains the vulnerable shortcode, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is not widespread at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with contributor or higher privileges; once authenticated, they can embed malicious JavaScript into the shortcode, which will execute for every user who views the affected page.

Generated by OpenCVE AI on April 20, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Heateor Login – Social Login Plugin to the latest version where the input sanitization bug is fixed
  • If an upgrade is temporarily impossible, disable or remove the Heateor_Facebook_Login shortcode from all pages, or configure the editor to strip it automatically
  • Apply a Content Security Policy that restricts the execution of inline scripts to mitigate any remaining injection risk

Generated by OpenCVE AI on April 20, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27520 The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Heateor
Heateor social Login
Wordpress
Wordpress wordpress
Vendors & Products Heateor
Heateor social Login
Wordpress
Wordpress wordpress

Wed, 10 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Heateor Login – Social Login Plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Heateor Social Login
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:00.116Z

Reserved: 2025-09-02T15:40:31.044Z

Link: CVE-2025-9857

cve-icon Vulnrichment

Updated: 2025-09-10T15:06:53.075Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:46.730

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses