{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6809", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-21T17:19:28.939Z", "datePublished": "2026-04-28T04:28:21.151Z", "dateUpdated": "2026-04-28T12:37:12.960Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-28T04:28:21.151Z"}, "affected": [{"vendor": "dartiss", "product": "Social Post Embed", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Social Post Embed <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Threads Embed", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c16841d-8878-4328-a5dc-113d213cca33?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/trunk/inc/threads.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.1/inc/threads.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L49"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L61"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Anas Mokhtari"}], "timeline": [{"time": "2026-04-21T17:36:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-27T15:57:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T12:37:03.777386Z", "id": "CVE-2026-6809", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:37:12.960Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6809", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-21T17:19:28.939Z", "datePublished": "2026-04-28T04:28:21.151Z", "dateUpdated": "2026-04-28T12:37:12.960Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-28T04:28:21.151Z"}, "affected": [{"vendor": "dartiss", "product": "Social Post Embed", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Social Post Embed <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Threads Embed", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c16841d-8878-4328-a5dc-113d213cca33?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/trunk/inc/threads.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.1/inc/threads.php#L64"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L49"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L61"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Anas Mokhtari"}], "timeline": [{"time": "2026-04-21T17:36:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-27T15:57:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T12:37:03.777386Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:37:08.634Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-6809", "lastModified": "2026-04-28T06:16:04.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-28T06:16:04.770", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.1/inc/threads.php#L64"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L49"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-post-embed/tags/2.0.2/inc/threads.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-post-embed/trunk/inc/threads.php#L64"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c16841d-8878-4328-a5dc-113d213cca33?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Social Post Embed", "source": "cna", "vendor": "dartiss"}, "product": "social_post_embed", "vendor": "dartiss"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T12:29:02.242465+00:00", "value": {"mitigation_remediation": ["Update the Social Post Embed plugin to version 2.0.2 or later.", "If updating immediately is not feasible, restrict Contributor role permissions or remove Contributor users from the site.", "If the plugin cannot be removed, disable or delete the embed functionality entirely to prevent the stored script from being rendered."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Social Post Embed plugin installed in any version up to and including 2.0.1 are affected. The vulnerability resides in the Threads embed handler in the plugin code.", "description_and_impact": "The Social Post Embed WordPress plugin allows an authenticated user with Contributor or higher privileges to store a malicious URL in the Threads embed area. The plugin fails to sanitize that input and also does not escape it when rendering, so the attacker can inject arbitrary JavaScript that will run in the browser of any user who views the page containing the embed. This defacement or hijacking can lead to credential theft, session hijacking, or other client\u2011side attacks targeting site visitors.", "risk_and_exploitability": "With a CVSS score of 6.4 the flaw is of moderate severity. The EPSS score is not reported, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting a lower but still non\u2011negligible likelihood of exploitation. An attacker only needs to be an authenticated Contributor or higher to exploit the issue, so the attack vector is local to the site\u2019s content\u2011management side but the impact is on all site visitors who load the affected page."}}}}, "created": "2026-04-28T09:16:19.042909+00:00", "updated": "2026-04-28T12:30:31.069318+00:00", "vendors": ["dartiss", "dartiss$PRODUCT$social_post_embed", "wordpress", "wordpress$PRODUCT$wordpress"]}