The Social Media Widget plugin for WordPress is not secure – it is vulnerable to a type of attack called Stored Cross-Site Scripting. This attack is possible because in versions up to 2.2 of the plugin, the parameters ‘acx_widget_si_theme’, ‘acx_widget_si_twitter’, ‘acx_widget_si_facebook’, ‘acx_widget_si_youtube’, ‘acx_widget_si_linkedin’, ‘acx_widget_si_gplus’, ‘acx_widget_si_credit’, ‘acx_widget_si_icon_size’, ‘acx_widget_si_pinterest’, and ‘acx_widget_si_feed’ are not properly protected against malicious input. This means that an attacker who has access to the plugin can inject malicious code to web pages, which can then be executed by any user who visits the page.