CVE-2026-7659
Description
The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Advanced Social Media Icons plugin for WordPress via insufficient sanitization in the `social` shortcode, affecting versions ≤1.2.
Vulnerability
Overview The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Script Insertion (XSS) in all versions up to and including 1.2. The flaw resides in the social shortcode, where user-supplied attributes are not properly sanitized or escaped before being output. This allows an attacker to inject arbitrary JavaScript or HTML that becomes part of the page content [1].
Exploitation
Conditions An authenticated attacker with at least Contributor-level access can exploit this vulnerability by crafting a malicious shortcode attribute. When the shortcode is rendered on a page, the injected script executes in the context of any user who subsequently visits that page. No additional privileges or network-level access are required beyond the ability to create or edit posts/pages [1].
Impact
Successful exploitation leads to Stored XSS, enabling the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or defacing the site. The injected script persists in the database and executes each time the page is loaded, affecting all visitors [1].
Mitigation
The plugin has been closed as of May 6, 2026, 2026, pending a full review, and is no longer available for download. Users should remove the plugin immediately and consider alternative solutions. No patched version is currently available [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/advanced-social-media-icons/tags/1.2/functions.phpnvd
- plugins.trac.wordpress.org/browser/advanced-social-media-icons/trunk/functions.phpnvd
- wordpress.org/plugins/advanced-social-media-icons/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/999c2207-6d45-4b46-8fe1-03682a949c5cnvd
News mentions
0No linked articles in our index yet.