Stored Cross-Site Scripting in Widgets for Social Photo Feed Plugin by WordPress
CVE-2026-5425

7.2HIGH

Key Information:

Vendor: WordPress
Status: Widgets For Social Photo Feed
Vendor: CVE Published:; 4 April 2026

What is CVE-2026-5425?

The Widgets for Social Photo Feed plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter keys. Unauthenticated attackers can exploit this vulnerability to inject arbitrary web scripts into pages. Due to insufficient input sanitization and output escaping, these malicious scripts may execute in the context of users accessing affected pages, leading to potential data theft or session hijacking. Users of the plugin versions up to and including 1.7.9 are strongly advised to upgrade to the latest version, which addresses this serious security flaw.

Affected Version(s)

Widgets for Social Photo Feed 0 <= 1.7.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?old_path=soc...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Nabil Irawan

CVE-2026-5425 Data

JSON