CVE-2026-5425
published 2026-04-04CVE-2026-5425: The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to…
PriorityP341high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EPSS
0.23%
14.1th percentile
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trustindex | widgets_for_social_photo_feed | <= 1.7.9 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility
ghsa·2026-04-10
CVE-2026-34478 [MEDIUM] CWE-117 Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility
Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility
Apache Log4j Core's [`Rfc5424Layout`](https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout), in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
* The `newLineEscape` attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
* The `useTlsMessageFormat` attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6
GHSA
GHSA-hvhr-x55p-8qm9: The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions
ghsa_unreviewed·2026-04-04
CVE-2026-5425 [HIGH] CWE-79 GHSA-hvhr-x55p-8qm9: The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-5425 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5425 [CRITICAL] CVE-2026-5425 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5425 :
WordPress vulnerability analysis and mitigation
The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published April 4, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
Bugzilla
CVE-2026-34478 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames
bugzilla·2026-04-10·CVSS 6.9
CVE-2026-34478 [MEDIUM] CVE-2026-34478 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames
CVE-2026-34478 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
* The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be sil
https://plugins.trac.wordpress.org/changeset?old_path=social-photo-feed-widget/tags/1.7.8/social-photo-feed-widget.php&new_path=social-photo-feed-widget/tags/1.8/social-photo-feed-widget.php&old=3440215&new=3486529https://plugins.trac.wordpress.org/changeset?old_path=social-photo-feed-widget/tags/1.7.8/trustindex-feed-plugin.class.php&new_path=social-photo-feed-widget/tags/1.8/trustindex-feed-plugin.class.php&old=3440215&new=3486529https://www.wordfence.com/threat-intel/vulnerabilities/id/2584097a-8955-41c7-b009-c6502fe8b99b?source=cve
2026-04-04
Published