CVE-2026-7659

Advanced Social Media Icons <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'social' Shortcode

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `social` shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2
PublishedMay 11, 2026
Last updatedMay 12, 2026
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-7659 ## 1. Vulnerability Summary **CVE-2026-7659** is a Stored Cross-Site Scripting (XSS) vulnerability in the **Advanced Social Media Icons** plugin (versions <= 1.2). The vulnerability resides in the rendering of the `[social]` shortcode. The plugin fails to…

Show full research plan

Exploitation Research Plan: CVE-2026-7659

1. Vulnerability Summary

CVE-2026-7659 is a Stored Cross-Site Scripting (XSS) vulnerability in the Advanced Social Media Icons plugin (versions <= 1.2). The vulnerability resides in the rendering of the [social] shortcode. The plugin fails to adequately sanitize or escape user-supplied attributes within the shortcode before outputting them into the HTML of a page or post. This allows an authenticated attacker with Contributor-level privileges (who can create and edit posts but not publish them or use unfiltered_html) to inject malicious JavaScript.

2. Attack Vector Analysis

  • Endpoint: WordPress Post Editor (/wp-admin/post.php or REST API /wp/v2/posts).
  • Vulnerable Component: The social shortcode handler.
  • Payload Carrier: Shortcode attributes (e.g., link, type, style, or others defined in the plugin).
  • Authentication: Contributor+ (Requires edit_posts capability).
  • Preconditions: The plugin must be active. A contributor must be able to save a post/page containing the shortcode.

3. Code Flow (Inferred)

  1. Registration: During init, the plugin registers the shortcode:
    add_shortcode('social', 'asm_social_icons_shortcode_handler'); (inferred function name).
  2. Processing: When a post is rendered, do_shortcode() calls the handler.
  3. Attributes: The handler receives an $atts array. It likely uses shortcode_atts() to merge defaults but fails to apply esc_attr(), esc_url(), or esc_html() to the values.
  4. Sink: The handler returns a string containing HTML where the raw attribute values are concatenated into HTML attributes (like href, class, or style) or tag content.
  5. Execution: When any user (including Administrators) views the post, the browser executes the injected script.

4. Nonce Acquisition Strategy

To save a post as a Contributor, a WordPress "post nonce" (_wpnonce) is required for the editpost action.

  1. Identify Trigger: The vulnerability is triggered by saving a post with the [social] shortcode.
  2. Acquisition:
    • The execution agent should login as a Contributor.
    • Navigate to /wp-admin/post-new.php.
    • Use browser_eval to extract the nonce from the page source. In the block editor (Gutenberg), the nonce is often found in the wp-api-fetch settings or the _wpnonce hidden input in the classic editor.
    • Logic: browser_eval("document.querySelector('#_wpnonce')?.value || wp.apiFetch.nonce") (inferred).

5. Exploitation Strategy

The goal is to demonstrate Stored XSS by injecting a payload into a shortcode attribute.

Step 1: Authentication

Login to the WordPress instance as a user with the Contributor role.

Step 2: Create Malicious Post

Use the http_request tool to create a new post containing the payload.

  • URL: http://<target>/wp-admin/post.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body Parameters:
    • action: editpost
    • post_ID: (The ID of a newly created draft)
    • post_title: XSS Test
    • content: [social link='"><script>alert(origin)</script>']
    • _wpnonce: (The nonce obtained in Section 4)

Step 3: Trigger the XSS

Navigate an administrative user or an unauthenticated visitor to the URL of the post created in Step 2.

6. Test Data Setup

  1. Install Plugin: Ensure advanced-social-media-icons version 1.2 is installed and active.
  2. Create User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
    
  3. Identify Post ID:
    Create a draft post to get a valid post_ID:
    wp post create --post_status=draft --post_author=$(wp user get attacker --field=ID) --post_title="Draft"
    

7. Expected Results

  • Storage: The database will contain the raw payload: [social link='"><script>alert(origin)</script>'].
  • Rendering: When the post is viewed, the HTML output should look similar to:
    <a href=""><script>alert(origin)</script>" ...></a> (assuming the link attribute was injected into an href).
  • Execution: A JavaScript alert box showing the origin will appear in the browser.

8. Verification Steps

  1. Database Check: Verify the content is stored exactly as sent.
    wp db query "SELECT post_content FROM wp_posts WHERE post_title='XSS Test'"
    
  2. Source Check: Use browser_navigate to the post URL and check if the payload is present and unescaped in the HTML source.
    // browser_eval
    document.body.innerHTML.includes('<script>alert(origin)</script>')
    

9. Alternative Approaches

If the link attribute is sanitized, attempt injection via other common shortcode attributes used by this plugin (inferred):

  • type: [social type='"><img src=x onerror=alert(1)>']
  • icon: [social icon='"><img src=x onerror=alert(1)>']
  • style: [social style='background-image: url("javascript:alert(1)")']

If the Block Editor is used, the request format will change to a REST API POST to /wp-json/wp/v2/posts/<ID> with a JSON body and the X-WP-Nonce header.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [social] shortcode in versions up to 1.2. Due to insufficient input sanitization and output escaping of shortcode attributes, authenticated attackers with Contributor-level permissions can inject arbitrary JavaScript into posts that executes when viewed by other users.

Security Fix

--- advanced-social-media-icons.php
+++ advanced-social-media-icons.php
@@ -1,1 +1,1 @@
-return '<a href="' . $atts['link'] . '">...</a>';
+return '<a href="' . esc_url($atts['link']) . '">...</a>';

Exploit Outline

An attacker with Contributor-level access or higher authenticates to the WordPress dashboard and creates or edits a post. They insert the [social] shortcode with a malicious payload in an attribute, such as [social link='\"><script>alert(origin)</script>']. When the post is saved, the payload is stored in the database. The vulnerability is triggered when any user, including an administrator, views the post, causing the unescaped attribute to be rendered as part of the HTML and executing the injected script.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.