A Stored Cross-Site Scripting vulnerability in the Widgets for Social Photo Feed plugin allows attackers to inject malicious scripts into the site.

The plugin fails to sanitize the 'feed_data' parameter, allowing for the injection of malicious JavaScript. This script is stored and executed in the browsers of users viewing the site, potentially leading to session hijacking.

With a CVSS score of 7.2, this vulnerability poses a risk of account takeover for administrative users. Attackers could steal session cookies, manipulate site content, or perform actions on behalf of authenticated administrators, leading to further site compromise.

Immediate Action: Update the Widgets for Social Photo Feed plugin to the latest version.

Proactive Monitoring: Monitor for unusual script execution in the browser and review user access logs for signs of session hijacking.

Compensating Controls: Use a Web Application Firewall (WAF) to detect and block malicious XSS payloads in incoming requests.

Public Exploit Available: false

Update this plugin immediately to mitigate the risk of XSS. Given that XSS can lead to administrative account takeover, this should be treated as a high-priority security task.