cleantalk
Vulnerabilities and Security Researches

BlossomThemes Social Feed, 8fdec6763b3c730130b642406e93234959989593

CVE, Research URL

8fdec6763b3c730130b642406e93234959989593

Home page URL

Security reports for BlossomThemes Social Feed

Application

BlossomThemes Social Feed

Published on
-
Research Description
BlossomThemes Social Feed [blossomthemes-instagram-feed] <= 2.0.5 (unfixed) Multiple Plugins &lt;= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin&#039;s bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
Affected versions
Min -, max 2.0.5.
Status
vulnerable
Previous vulnerability researches
Flickr Shortcode Importer (CVE-2025-46481) , Apr 26, 2025
New vulnerability
Radio Station by netmix® &#8211; Manage and play your Show Schedule in WordPress! (CVE-2025-53568) , Jul 05, 2025
RD Contacto (CVE-2025-5933) , Jul 05, 2025
AiBud WP &#8211; ChatGPT, OpenAI, Content &amp; Image Generator WordPress plugin (CVE-2025-23968) , Jul 05, 2025
WP Permalink Translator (CVE-2025-53274) , Jul 05, 2025
Soumettre.fr (CVE-2025-4654) , Jul 05, 2025