CVE-2025-10166
Published
CVSS v3
6.4
MEDIUM
CVSS v2
N/A
Affected
1
PROJECT
Description
The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twitter' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
<p>This plugin registers shortcodes for the following websites, social service on the left, format for the shortcode on the right:</p>
<p>Service / shortcode version</p>
<ul>
<li>Blogger [blogger]</li>
<li>BookHype [bookhype]</li>
<li>Colourlovers [colourlovers]</li>
<li>DeviantArt [deviantart]</li>
<li>Digg [digg]</li>
<li>Dribbble [dribbble]</li>
<li>Etsy [etsy]</li>
<li>Facebook [facebook]</li>
<li>Flickr [flickr]</li>
<li>Flipboard [flipboard]</li>
<li>GitHub [github]</li>
<li>Goodreads [goodreads]</li>
<li>HackerNews [hackernews]</li>
<li>IMDb [imdb]</li>
<li>Instagram [instagram]</li>
<li>Last.FM [lastfm]</li>
<li>LinkedIn [linkedin]</li>
<li>Myspace [myspace]</li>
<li>Patreon [patreon]</li>
<li>Pinterest [pinterest]</li>
<li>Reddit [reddit]</li>
<li>Slideshare [slideshare]</li>
<li>SpaceHey [spacehey]</li>
<li>Soundcloud [soundcloud]</li>
<li>TikTok [tiktok]</li>
<li>Twitch [twitch]</li>
<li>Twitter [twitter]</li>
<li>Vimeo <!-- vimeo error: not a vimeo video --></li>
<li>X [x]</li>
<li>Yelp [yelp]</li>
<li>YouTube <!--YouTube Error: bad URL entered--></li>
</ul>
<p>All examples updated for v1.1</p>
<p>Example 1:</p>
<pre><code>[twitter name="JoeSomeone" text="some text you want the link to appear as"]
</code></pre>
<p>results in this on your post/page:</p>
<pre><code><a href="http://www.twitter.com/JoeSomeone" title="JoeSomeone's Twitter profile" class="twitter_smsc">some text you want the link to appear as</a>
</code></pre>
<p>Example 2:</p>
<pre><code>[twitter name="JoeSomeone"]
</code></pre>
<p>results in this on your post/page.</p>
<pre><code><a href="http://www.twitter.com/JoeSomeone" title="JoeSomeone's Twitter profile" class="twitter_smsc">JoeSomeone (Twitter)</a>
</code></pre>
<p>Example 3:</p>
<pre><code>[twitter name="JoeSomeone" target="_blank"]
</code></pre>
<p>results in on your post/page.:</p>
<pre><code><a href="http://www.twitter.com/JoeSomeone" title="JoeSomeone's Twitter profile" target="_blank" class="twitter_smsc">JoeSomeone (Twitter)</a>
</code></pre>
<p>Filters:</p>
<pre><code>function example_add_site( $sites ) {
$sites['somesite'] = array( 'Some Site', 'http://www.somesite.com/user/' );
//Return the $sites array
return $sites;
}
add_filter( 'smsc_shortcodes', 'example_add_site' );
function example_add_classes( $classes ) {
$classes[] = 'someclass';
return $classes;
}
add_filter( 'smsc_classes', 'example_add_classes' );
function example_change_final_link( $output, $shortcode ) {
if ( 'somesite' == $shortcode ) {
$output_new = $output . ' <--Awesome profile!';
}
return $output_new;
}
add_filter( 'smsc_final_link', 'example_change_final_link', 10, 2 );
</code></pre>
WordPress Plugin Directory