{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5564", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-03T17:02:56.253Z", "datePublished": "2025-06-26T02:06:35.156Z", "dateUpdated": "2026-04-08T17:24:45.569Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:45.569Z"}, "affected": [{"vendor": "gurievcreative", "product": "GC Social Wall", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.15", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The GC Social Wall plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gc_social_wall' shortcode in all versions up to, and including, 1.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "GC Social wall <= 1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfe548ce-5dc9-4073-b755-d28e37720808?source=cve"}, {"url": "https://plugins.svn.wordpress.org/gc-social-wall/trunk/GCSocialWall.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-06-25T13:46:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T13:34:27.245683Z", "id": "CVE-2025-5564", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:35:50.457Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5564", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-26T13:34:27.245683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T13:34:32.705Z"}}], "cna": {"title": "GC Social wall <= 1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gurievcreative", "product": "GC Social Wall", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.15"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-25T13:46:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfe548ce-5dc9-4073-b755-d28e37720808?source=cve"}, {"url": "https://plugins.svn.wordpress.org/gc-social-wall/trunk/GCSocialWall.php"}], "descriptions": [{"lang": "en", "value": "The GC Social Wall plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gc_social_wall' shortcode in all versions up to, and including, 1.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:45.569Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5564", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:45.569Z", "dateReserved": "2025-06-03T17:02:56.253Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-26T02:06:35.156Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The GC Social Wall plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gc_social_wall' shortcode in all versions up to, and including, 1.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento GC Social Wall para WordPress es vulnerable a cross site scripting almacenado a trav\u00e9s del shortcode 'gc_social_wall' en todas las versiones hasta la 1.15 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5564", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-26T02:15:21.957", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/gc-social-wall/trunk/GCSocialWall.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfe548ce-5dc9-4073-b755-d28e37720808?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:27:40.372125+00:00", "value": {"mitigation_remediation": ["Update the GC Social Wall plugin to the latest version that removes the issue, preferably version 1.16 or newer.", "If an update is not yet available, remove the gc_social_wall shortcode from all posts or temporarily disable the plugin until a fix is released.", "Restrict contributor\u2011level access or revoke that role from users who do not need it to prevent injection of malicious payloads."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerable product is the GC Social Wall plugin from Guriev Creative. Versions up to and including 1.15 are affected, whereas any later revision is presumed fixed.", "description_and_impact": "The GC Social Wall plugin for WordPress is vulnerable to stored cross\u2011site scripting because the attributes of the gc_social_wall shortcode are not properly sanitized or escaped. An attacker who has at least contributor access can inject arbitrary JavaScript into the shortcode\u2019s attributes, which is then stored in the database and executed whenever any user views a page containing that shortcode. This client\u2011side code execution can be used for phishing, cookie theft, defacement or further exploitation of the site\u2019s users. The weakness is a classic stored XSS (CWE\u201179).", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.4, indicating medium severity. EPSS is less than 1\u202f%, suggesting a low likelihood of exploitation at present, and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated contributor or higher account to create or edit content that utilizes the gc_social_wall shortcode. Once a malicious payload is inserted, every visitor to the affected page will execute the injected script. The attack vector is thus web\u2011based content editing within the WordPress administration interface."}}}}, "created": "2025-07-13T21:48:13.327362+00:00", "updated": "2026-04-20T22:30:19.874111+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}