{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9857", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-02T15:40:31.044Z", "datePublished": "2025-09-10T06:38:51.180Z", "dateUpdated": "2026-04-08T17:25:00.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:00.116Z"}, "affected": [{"vendor": "heateor", "product": "Heateor Login \u2013 Social Login Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Heateor Login \u2013 Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Heateor Login \u2013 Social Login Plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d106d581-d711-44ac-b85a-c43aad727eeb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/heateor-login/tags/1.1.9/shortcode.php#L24"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357088%40heateor-login&new=3357088%40heateor-login&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "timeline": [{"time": "2025-09-04T07:24:49.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-09T17:52:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-10T15:02:03.917675Z", "id": "CVE-2025-9857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T15:06:57.065Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-10T15:02:03.917675Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-10T15:06:53.075Z"}}], "cna": {"title": "Heateor Login \u2013 Social Login Plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gilang Asra Bilhadi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "heateor", "product": "Heateor Login \u2013 Social Login Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-04T07:24:49.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-09T17:52:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d106d581-d711-44ac-b85a-c43aad727eeb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/heateor-login/tags/1.1.9/shortcode.php#L24"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357088%40heateor-login&new=3357088%40heateor-login&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Heateor Login \u2013 Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:00.116Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9857", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:00.116Z", "dateReserved": "2025-09-02T15:40:31.044Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-10T06:38:51.180Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Heateor Login \u2013 Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-9857", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-10T07:15:46.730", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/heateor-login/tags/1.1.9/shortcode.php#L24"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3357088%40heateor-login&new=3357088%40heateor-login&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d106d581-d711-44ac-b85a-c43aad727eeb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:52:37.803106+00:00", "value": {"mitigation_remediation": ["Upgrade the Heateor Login \u2013 Social Login Plugin to the latest version where the input sanitization bug is fixed", "If an upgrade is temporarily impossible, disable or remove the Heateor_Facebook_Login shortcode from all pages, or configure the editor to strip it automatically", "Apply a Content Security Policy that restricts the execution of inline scripts to mitigate any remaining injection risk"], "summary": {"action": "Patch Now", "impact": "Stored XSS via authenticated contributor+ access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Heateor Login \u2013 Social Login Plugin version 1.1.9 or earlier installed are affected. The vulnerability applies to any page that contains the vulnerable shortcode, regardless of the WordPress core version.", "description_and_impact": "The Heateor Login \u2013 Social Login Plugin is vulnerable to stored cross\u2011site scripting through its 'Heateor_Facebook_Login' shortcode. The plugin does not sanitize or escape user\u2011supplied attributes, allowing an attacker who is authenticated with contributor level access or higher to inject arbitrary JavaScript. When a site visitor views a page containing the malicious shortcode, the injected script runs in the visitor\u2019s browser.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is not widespread at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be authenticated with contributor or higher privileges; once authenticated, they can embed malicious JavaScript into the shortcode, which will execute for every user who views the affected page."}}}}, "created": "2025-09-12T09:11:33.341628+00:00", "updated": "2026-04-20T22:00:11.197188+00:00", "vendors": ["heateor", "heateor$PRODUCT$social_login", "wordpress", "wordpress$PRODUCT$wordpress"]}