CVE-2021-47910 Accesspressthemes CVE debrief

Who should care

WordPress site operators, plugin maintainers, and administrators using AccessPress Social Icons 1.8.2 should review this issue, especially where authenticated users can edit plugin settings or content.

Technical summary

The supplied description identifies a stored XSS flaw affecting the plugin's "icon title" field. The vulnerability is authenticated (PR:L in the supplied CVSS vector) and requires user interaction to trigger (UI:P). The weakness is classified as CWE-79. Because the payload is stored and later rendered in the plugin interface, any user who views the affected page can be exposed to the injected script.

Defensive priority

Medium. The issue requires authentication, but it can persist in stored content and execute for viewers of the plugin interface, which raises the impact for shared WordPress admin environments.

Recommended defensive actions

• Update or replace AccessPress Social Icons 1.8.2 if a fixed release is available from the vendor or WordPress plugin channel.
• Restrict who can modify plugin settings or fields that are rendered in the interface, including the icon title field.
• Review existing stored icon title values for unexpected markup or script-like content and remove suspicious entries.
• Apply output encoding or sanitization in any custom integration that renders plugin-managed fields.
• If the plugin is not needed, disable or remove it to eliminate exposure.

Evidence notes

The description supplied with the CVE states that AccessPress Social Icons 1.8.2 has a stored XSS vulnerability in the "icon title" field. The NVD metadata in the corpus classifies the weakness as CWE-79 and provides a CVSS v4 vector showing network attack, low privileges, and user interaction requirements. The corpus also links the vendor site, the WordPress plugin listing, a third-party reference, and a VulnCheck advisory.

Official resources