CVE-2025-64198

The Easy Social Share Buttons WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. The issue affects versions from n/a through 10.7.1, where the plugin fails to sanitize or escape input before including it in output, enabling script injection [1].

Exploitation

Attackers can exploit this by crafting a malicious link or URL that includes a script payload. User interaction is required — a privileged user (such as an administrator) must click the link, visit a crafted page, or submit a specially designed form. Once triggered, the injected script executes in the context of the victim's browser session, typically within the WordPress admin dashboard or front-end where the vulnerable component renders [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the affected site. This can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions that compromise the integrity of the website. The CVSS v3 base score of 7.1 (High) reflects the potential for significant harm, and the vulnerability is expected to become actively exploited in mass campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 10.7.1 which addresses the vulnerability. Users are strongly advised to update immediately to this patched version. As a workaround, administrators unable to update can consult their hosting provider or web developer for additional security measures. Patchstack has also issued a virtual mitigation rule to block attacks until the update is applied [1].