CVE-2025-10166

Vulnerability

Overview

CVE-2025-10166 describes a stored cross-site scripting (XSS) vulnerability in the Social Media Shortcodes plugin for WordPress, affecting all versions up to and including 1.3.1. The flaw resides in the plugin's 'twitter' shortcode, where user-supplied attributes are not properly sanitized or escaped before being output on the page [1]. This allows authenticated attackers with contributor-level access or higher to inject arbitrary HTML and JavaScript into posts or pages.

Attack

Vector

The vulnerability can be exploited by an attacker who has at least a contributor role on a WordPress site. By inserting a malicious 'twitter' shortcode with crafted attribute values (e.g., name or text), the attacker can inject script code. When the shortcode is processed, the unsanitized attributes are written directly into the generated anchor element's href, title, or link text, allowing persistent script injection [1]. No further privileges or user interaction are required to store the payload.

Impact

Successful exploitation leads to stored XSS, meaning the malicious script executes every time a user visits the affected page. An attacker could steal session cookies, redirect victims to malicious sites, deface the page, or perform other actions in the context of the victim's session. Because the injected script persists in the database, it affects all site visitors, including administrators, until the injected content is removed.

Mitigation

Users of the Social Media Shortcodes plugin should update to a patched version if available. If no update is released, the only workaround is to disable the plugin or restrict the use of the vulnerable shortcode to trusted users. As of publication, no version beyond 1.3.1 has been confirmed, so site administrators should consider removing or replacing the plugin to eliminate the risk.

References

[1] Social Media Shortcodes plugin page on WordPress.org