CVE-2025-9857: 
WordPress vulnerability analysis and mitigation

The Heateor Login – Social Login Plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-9857) discovered in September 2025. The vulnerability affects all versions up to and including 1.1.9 and is related to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's 'Heateor_Facebook_Login' shortcode (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium). The security flaw exists in the plugin's shortcode functionality where user-supplied attributes are not properly sanitized and escaped before being stored and displayed. This vulnerability specifically affects the 'Heateor_Facebook_Login' shortcode implementation (Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page, potentially leading to session hijacking, credential theft, or other client-side attacks (NVD).

The vulnerability has been patched in version 1.1.10 of the Heateor Login plugin, released on September 6, 2025. Users are advised to update to this version immediately. The update includes security fixes for the Stored XSS vulnerability and improvements to the Facebook API and SDK, updating them to version 23.0 (WordPress Plugin Repository).