CVE-2025-64198: 
WordPress vulnerability analysis and mitigation

The Easy Social Share Buttons plugin for WordPress (versions up to 10.7.1) contains a Stored Cross-Site Scripting vulnerability (CVE-2025-64198). The vulnerability was discovered by João Pedro S Alcântara (Kinorth) and publicly disclosed on October 26, 2025. This security issue affects the plugin's input handling mechanisms, potentially exposing WordPress websites using vulnerable versions to cross-site scripting attacks (Rapid7, Wordfence).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation, stemming from insufficient input sanitization and output escaping mechanisms. It has received a CVSS score of 7.2 (High), indicating significant severity. The technical nature of the vulnerability allows for stored XSS attacks, where malicious scripts can be injected and stored on the target system (Patchstack, Rapid7).

The vulnerability enables unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This could allow malicious actors to inject various types of payloads including redirects, advertisements, and other HTML content that executes in visitors' browsers (Patchstack).

Website administrators are advised to update to version 10.7.1 or later of the Easy Social Share Buttons plugin to resolve the vulnerability. Patchstack has issued a mitigation rule to block potential attacks until users can update to the fixed version. The vulnerability has been patched in version 10.7.1, which was released shortly after the discovery (Patchstack).