CVE-2026-3228 - Vulnerability Analysis
MediumCVSS: 6.4Last Updated: March 11, 2026
NextScripts Social Networks Auto-Poster - Stored XSS
Published: March 10, 2026Updated: March 11, 2026PoC AvailableRemote Exploitable
Overview
NextScripts Social Networks Auto-Poster for WordPress <= 4.4.6 contains a stored cross-site scripting caused by insufficient sanitization and escaping of snapFB post meta, letting authenticated contributors inject scripts executed on page access.
Severity & Score
Severity: Medium
CVSS Score: 6.4
Impact
Authenticated contributors can inject scripts that execute in users' browsers, potentially leading to session hijacking or defacement.
Mitigation
Update to the latest version beyond 4.4.6.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/923c51ba-0ec2-4e32-a86e-404f3fe2ac7c?source=cve
- https://plugins.trac.wordpress.org/browser/social-networks-auto-poster-facebook-twitter-g/tags/4.4.6/inc-cl/fb.php#L581
- https://plugins.trac.wordpress.org/browser/social-networks-auto-poster-facebook-twitter-g/trunk/inc-cl/fb.php#L581
- https://plugins.trac.wordpress.org/changeset/3470727/social-networks-auto-poster-facebook-twitter-g/trunk/inc-cl/fb.php
Related Resources
Details
- CVE ID
- CVE-2026-3228
- Severity
- Medium
- CVSS Score
- 6.4
- Type
- stored_xss
- Status
- unconfirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N