Description
The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-28
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Social Post Embed WordPress plugin allows an authenticated user with Contributor or higher privileges to store a malicious URL in the Threads embed area. The plugin fails to sanitize that input and also does not escape it when rendering, so the attacker can inject arbitrary JavaScript that will run in the browser of any user who views the page containing the embed. This defacement or hijacking can lead to credential theft, session hijacking, or other client‑side attacks targeting site visitors.

Affected Systems

WordPress sites that have the Social Post Embed plugin installed in any version up to and including 2.0.1 are affected. The vulnerability resides in the Threads embed handler in the plugin code.

Risk and Exploitability

With a CVSS score of 6.4 the flaw is of moderate severity. The EPSS score is not reported, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a lower but still non‑negligible likelihood of exploitation. An attacker only needs to be an authenticated Contributor or higher to exploit the issue, so the attack vector is local to the site’s content‑management side but the impact is on all site visitors who load the affected page.

Generated by OpenCVE AI on April 28, 2026 at 12:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Social Post Embed plugin to version 2.0.2 or later.
  • If updating immediately is not feasible, restrict Contributor role permissions or remove Contributor users from the site.
  • If the plugin cannot be removed, disable or delete the embed functionality entirely to prevent the stored script from being rendered.

Generated by OpenCVE AI on April 28, 2026 at 12:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Dartiss
Dartiss social Post Embed
Wordpress
Wordpress wordpress
Vendors & Products Dartiss
Dartiss social Post Embed
Wordpress
Wordpress wordpress

Tue, 28 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Social Post Embed <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Threads Embed
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Dartiss Social Post Embed
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-28T04:28:21.151Z

Reserved: 2026-04-21T17:19:28.939Z

Link: CVE-2026-6809

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T06:16:04.770

Modified: 2026-04-28T06:16:04.770

Link: CVE-2026-6809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses