Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jongmyoung Kim Korea SNS korea-sns allows DOM-Based XSS.This issue affects Korea SNS: from n/a through <= 1.7.0.
AnalysisAI
DOM-based cross-site scripting (XSS) in Jongmyoung Kim's Korea SNS WordPress plugin versions up to 1.7.0 allows authenticated high-privilege users to inject malicious scripts into web pages viewed by others. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), limiting real-world exploitability to scenarios where administrative or editor-level WordPress accounts are compromised or misused. EPSS exploitation probability is minimal at 0.03% (8th percentile), indicating low technical likelihood despite the network-accessible attack vector.
Technical ContextAI
The vulnerability exploits improper input sanitization during web page generation within the Korea SNS WordPress plugin, a social networking extension for WordPress. The DOM-based XSS (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs when the plugin processes user-supplied input without adequate escaping or validation before rendering it in the Document Object Model. This allows injection of arbitrary JavaScript code that executes in the browser context of affected users. The CPE identifier cpe:2.3:a:jongmyoung_kim:korea_sns:*:*:*:*:*:*:*:* confirms this affects all versions of the plugin from Jongmyoung Kim's Korea SNS product line.
RemediationAI
Site administrators must upgrade Korea SNS to a version newer than 1.7.0; the exact fixed version was not explicitly specified in the available advisory data, so administrators should check Patchstack or the plugin's GitHub repository for the latest release. As an immediate interim measure, restrict editing or publishing permissions in WordPress to only trusted users, and regularly audit user role assignments to prevent privilege escalation or account misuse. Disable the Korea SNS plugin entirely if a patched version is unavailable and the plugin is not critical to site operations. Review the Patchstack vulnerability entry at https://patchstack.com/database/Wordpress/Plugin/korea-sns for version-specific remediation guidance and patch release notes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20341
GHSA-93gq-jh68-93jp