Skip to main content

CVE-2025-53235

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
7.1 (HIGH)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 21:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Social easy-social-media allows Reflected XSS.This issue affects Easy Social: from n/a through <= 1.3.

AnalysisAI

Reflected cross-site scripting (XSS) in osuthorpe Easy Social WordPress plugin version 1.3 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists in improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.01%) suggests minimal real-world attack probability despite the theoretical attack surface.

Technical ContextAI

The vulnerability is a Reflected Cross-Site Scripting (XSS) flaw classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The Easy Social WordPress plugin fails to properly sanitize and escape user-controlled input before rendering it in HTML responses sent to users' browsers. This allows attackers to craft malicious URLs containing JavaScript payloads that execute in the context of the vulnerable application. The reflected nature means the payload is transmitted in the HTTP request and echoed back in the response without adequate output encoding, causing the browser to interpret it as executable code. Affected product identified via CPE reference to osuthorpe Easy Social plugin version 1.3 and earlier.

Affected ProductsAI

osuthorpe Easy Social WordPress plugin version 1.3 and all earlier versions are affected. The plugin is distributed via WordPress.org plugin repository and is identified in the Patchstack vulnerability database. Users running versions up to and including 1.3 are vulnerable to reflected XSS attacks.

RemediationAI

Update osuthorpe Easy Social plugin to a patched version released after version 1.3. Check the WordPress plugin repository or the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/easy-social-media/vulnerability/wordpress-easy-social-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve for the specific fixed release version and installation instructions. If a patched version is unavailable, consider disabling the plugin until a fix is released, or implement Web Application Firewall (WAF) rules to filter malicious input patterns targeting known vulnerable parameters. WordPress site administrators should apply updates immediately through the WordPress admin dashboard once available.

Share

CVE-2025-53235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy