CVE-2021-47910

The vulnerability is a stored cross-site scripting (XSS) issue in the AccessPress Social Icons plugin for WordPress, version 1.8.2. The root cause is improper neutralization of user input in the 'icon title' field, which allows attackers to inject arbitrary JavaScript code. This corresponds to CWE-79 [2].

An authenticated attacker with the ability to add social icons can exploit this by entering a malicious payload, such as an image tag with an onerror event handler, into the 'icon title' field. The payload is stored in the database and executed when any user views the plugin's admin interface, including administrators [3]. No special privileges beyond being able to add icons are required.

Successful exploitation can lead to session hijacking, defacement, or phishing attacks, as the injected script runs in the context of the victim's session. All users who access the plugin page are affected, making this a medium-severity threat with a CVSS v3 score of 6.4.

As of the publication date, no official patch has been announced. Users are advised to disable or remove the plugin if it is not essential, or to check for updates from the vendor that address this vulnerability. The exploit has been publicly disclosed, increasing the risk of active exploitation [3].