Blog2Social: Social Media Auto Post & Scheduler < 8.4.0 – Contributor+ Stored XSS | CVE 2025-4133 | Plugin Vulnerabilities

Description

The plugin does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.

Proof of Concept

As a contributor, create a post with the following title and submit it for review: &amp;lt;img src=x onerror=alert(/XSS/)&amp;gt;

The XSS will be triggered when users (such as an admin) will open the "All Posts" page of the plugin (/wp-admin/admin.php?page=blog2social-post)

Affects Plugins

Fixed in 8.4.0

References

CVE

URL

https://research.cleantalk.org/CVE-2025-4133/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krugov Artyom

Submitter

Krugov Aryom

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

ebd7e5f5-af8d-42ca-b6ff-af92e03d4a3e

Timeline

Publicly Published

2025-05-01 (about 7 months ago)

Added

2025-05-01 (about 7 months ago)

Last Updated

2025-05-01 (about 7 months ago)

Other

Published

Title

Published

2024-04-24

Title

Essential Addons for Elementor < 5.9.16 - Contributor+ Stored Cross-Site Scripting

Published

2025-01-16

Title

MyBookProgress by Stormhill Media <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via book Parameter

Published

2024-04-16

Title

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce < 2.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-07-04

Title

Chatra Live Chat + ChatBot + Cart Saver <= 1.0.11 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-30

Title

Storely <= 20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting