Stored Cross-Site Scripting in Easy Social Feed Plugin for WordPress
CVE-2025-6067

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box
Vendor
CVE Published:
6 September 2025

What is CVE-2025-6067?

The Easy Social Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-caption' and 'data-linktext' parameters. This vulnerability arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject malicious web scripts. When a user visits an infected page, the scripts execute, potentially compromising user interaction and data security.

Affected Version(s)

Easy Social Feed – Social Photos Gallery – Post Feed – Like Box * <= 6.6.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/easy-facebook-...
https://plugins.trac.wordpress.org/log/easy-facebook-like...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
JSON
.