Impact
An unauthenticated Cross‑Site Scripting vulnerability exists in the WordPress Social Slider Feed plugin versions up to 2.3.2. The flaw allows an attacker to inject malicious JavaScript into web pages viewed by any user, potentially leading to session hijacking, credential theft, or defacement. This weakness is identified CWE‑79, which involves mishandling of untrusted input when rendering output.
Affected Systems
The affected product is the Social Slider Feed plugin from Themeisle, a WordPress plugin used to display social media feeds. All installations running version 2.3.2 or earlier are vulnerable; newer releases (2.3.3 and beyond) contain a fix.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity of exploitation. The EPSS score of less than 1% suggests that current exploitation prevalence is low, but the vulnerability remains in the public eye. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is unauthenticated access to the plugin's front‑end, where a specially crafted URL or content injection point can introduce malicious code; attackers can exploit this flaw from the public internet without authentication.
OpenCVE Enrichment