CVE-2025-4583: 
WordPress vulnerability analysis and mitigation

The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-4583) discovered on May 29, 2025. This vulnerability affects all versions up to and including 6.9.0. The issue stems from insufficient input sanitization and output escaping of the data-plugin attribute (NVD, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C) with low confidentiality (C:L) and integrity (I:L) impacts, and no availability impact (A:N) (NVD, Rapid7).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD, Wiz).

Users should update to a version newer than 6.9.0 when available. Until then, it is recommended to restrict access to the WordPress dashboard to trusted users only and monitor for suspicious activities (Wiz).