The Easy Social Feed – Social Photos Gallery and Post Feed for WordPress plugin suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the data-caption and data-linktext parameters do not properly sanitize or escape input, allowing authenticated users with Contributor-level privileges or higher to inject arbitrary scripts. These scripts persist in the application and execute in the context of users who access the injected pages. The vulnerability affects all versions up to 6.6.7 and has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), indicating network exploitable with low attack complexity, requiring privileges, no user interaction, and impacts confidentiality and integrity with scope change but no availability impact. No known exploits in the wild have been reported, and no patch or remediation guidance is currently available.

Successful exploitation allows authenticated users with Contributor-level access or higher to inject persistent malicious scripts into pages via the data-caption and data-linktext parameters. This can lead to execution of arbitrary scripts in the context of other users viewing the affected pages, potentially resulting in theft of sensitive information or session hijacking. The vulnerability impacts confidentiality and integrity but does not affect availability. The scope of the vulnerability is changed, meaning the impact extends beyond the initially compromised component.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level access to trusted users only and consider disabling or limiting use of the affected plugin. Monitor for updates from the vendor or WordPress plugin repository for patches addressing this vulnerability.