Is WordPress affected by EUVD-2026-18989?

Widgets for Social Photo Feed WordPress plugin versions 1.7.9 and earlier contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into widget configuration, affecting all site visitors and administrators.

EUVD-2026-18989

| CVE-2026-5425 HIGH

2026-04-04 Wordfence

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 04, 2026 - 08:45 vuln.today

EUVD ID Assigned

Apr 04, 2026 - 08:45 euvd

EUVD-2026-18989

CVE Published

Apr 04, 2026 - 08:25 nvd

HIGH 7.2

Description

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'feed_data' parameter keys in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Analysis

Stored cross-site scripting (XSS) in the Widgets for Social Photo Feed WordPress plugin (versions ≤1.7.9) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'feed_data' parameter keys, achieving persistent code execution in victim browsers with scope change impact. The vulnerability stems from insufficient input validation on widget configuration data. …

Remediation

Within 24 hours: Inventory all WordPress installations and identify sites using Widgets for Social Photo Feed; disable or remove the plugin if not actively required. Within 7 days: Upgrade to version 1.8 or later on all affected installations, or migrate to an alternative social feed solution. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

EUVD-2026-18989 vulnerability details – vuln.today

Back

EUVD-2026-18989

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-18989

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code