The Widgets for Social Photo Feed plugin stores user‑supplied input from the feed_data parameter without sufficient sanitization or escaping. This allows an unauthenticated attacker to inject malicious scripts that are persisted in the plugin’s data and executed whenever a page displaying the injected content is accessed. The injected payload runs with the privileges of the website’s front‑end rendering context, enabling client‑side defacement, cookie theft, or social engineering attempts.

WordPress sites that rely on the TrustIndex Widgets for Social Photo Feed plugin, specifically all releases up to and including version 1.7.9. Sites using any of these affected plugin versions are vulnerable irrespective of other security controls.

The CVSS score of 7.2 indicates a high severity, reflecting the significant impact that arbitrary script execution can have on confidentiality and integrity for all users of the affected site. Although EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, the lack of authentication requirement and the persistence of the payload mean that exploitation is straightforward for an attacker with access to the widget configuration interface or by submitting feed_data payloads via the API if exposed. The attack vector is likely local within the WordPress administrative interface, but the effects are visible to all site visitors.