CVE-2025-6067 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress, affecting all versions up to and including 6.6.7. The vulnerability stems from improper input sanitization and output escaping of the data-caption and data-linktext parameters. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript code into these parameters, which is then stored and rendered on pages viewed by other users. This stored XSS can lead to a range of attacks, including session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and scope change due to potential impact on other users. No known exploits have been reported in the wild yet. The plugin is widely used in WordPress environments, which are popular globally, making this vulnerability a significant concern for many websites. The lack of official patches at the time of publication necessitates immediate mitigation steps by administrators to reduce risk.

The impact of CVE-2025-6067 is significant for organizations running WordPress sites with the affected plugin. Successful exploitation allows authenticated users with relatively low privileges (Contributor or above) to inject malicious scripts that execute in the context of other users visiting the compromised pages. This can lead to theft of session cookies, enabling attackers to impersonate users with higher privileges, potentially leading to full site compromise. It can also facilitate defacement, phishing, or distribution of malware to site visitors, damaging reputation and trust. Since the vulnerability affects input parameters that are rendered on public-facing pages, the attack surface includes all site visitors, increasing the scope of impact. Although no known exploits are currently reported, the medium CVSS score and ease of exploitation by authenticated users make this a credible threat. Organizations relying on this plugin risk data confidentiality and integrity breaches, as well as potential availability impacts if attackers leverage the vulnerability for further attacks or site disruption.

1. Immediately restrict Contributor-level and higher user privileges to trusted individuals only, minimizing the risk of malicious input injection. 2. Implement strict input validation and sanitization on the data-caption and data-linktext parameters at the application or web server level using web application firewalls (WAFs) with custom rules to detect and block suspicious script tags or payloads. 3. Monitor logs and user activity for unusual behavior indicative of attempted XSS exploitation, such as unexpected script injections or anomalous page content changes. 4. Until an official patch is released, consider disabling or removing the Easy Social Feed plugin if feasible, or replace it with alternative plugins that have no known vulnerabilities. 5. Educate content contributors about the risks of injecting untrusted content and enforce content submission policies. 6. Regularly update WordPress core and all plugins to the latest versions once patches addressing this vulnerability become available. 7. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected pages, reducing the impact of potential XSS payloads.