cleantalk
Vulnerabilities and Security Researches

Social Post Embed, CVE-2026-6809

CVE, Research URL

CVE-2026-6809

Home page URL

Security reports for Social Post Embed

Application

Social Post Embed

Published on
Apr 28, 2026
Research Description
The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.0.2.
Status
vulnerable
Previous vulnerability researches
SERPed.net (CVE-2025-24669) , Jan 26, 2025
SERPed.net (CVE-2025-28998) , Jul 02, 2025
SERPed.net (CVE-2025-32651) , Apr 18, 2025
New vulnerability
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin (CVE-2026-42652) , Apr 30, 2026
WP Meteor Website Speed Optimization Addon (CVE-2026-2902) , Apr 30, 2026
Social Post Embed (CVE-2026-6809) , Apr 30, 2026
Timeline Blocks for Gutenberg (CVE-2026-6551) , Apr 29, 2026
WPC Smart Messages for WooCommerce (CVE-2026-6725) , Apr 29, 2026