The Social Rocket – Social Sharing Plugin for WordPress is vulnerable to Stored Cross‑Site Scripting via the id parameter in all versions up to 1.3.4.2. Insufficient input sanitization and output escaping allow an attacker who is authenticated with Subscriber‑level permissions or higher to inject and store arbitrary JavaScript. When a visitor opens a page that contains the injected payload the script will execute in the visitor’s browser. The severity is reflected by a CVSS score of 6.4 and constitutes a moderate‑tier risk that can be exploited to execute malicious code on the client side.

WordPress sites that have the Social Rocket – Social Sharing Plugin installed and running a version equal to or older than 1.3.4.2 are affected. Administrators should check the plugin version in the WordPress dashboard and ensure it is updated to a newer release that addresses the id‑parameter handling.

The vulnerability requires the attacker to be authenticated with at least Subscriber privileges. Once authenticated the attacker can embed the payload which then remains stored permanently in the site’s database. The EPSS score of less than 1 % indicates a low exploitation probability under current conditions and the vulnerability is not listed in the CISA KEV catalog. Exploitation is limited to users who can provide a valid session cookie. The CVSS score of 6.4 reflects a moderate likelihood of successful exploitation when the conditions are met.