The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
[
{
"cpes": [
"cpe:2.3:a:wordpress:easy_social_feed:*:*:*:*:*:*:*:*"
],
"vendor": "wordpress",
"product": "easy_social_feed",
"versions": [
{
"status": "affected",
"version": "*"
}
],
"defaultStatus": "unknown"
}
]