Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Administrator privilege required (PR:H) to inject; scope changes as payload executes in victims' browsers (S:C); victim page-load interaction needed (UI:R).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.
AnalysisAI
Stored Cross-Site Scripting in the WP Emmet WordPress plugin (by rewish) versions 0.3.4 and earlier allows an administrator-level user to inject persistent malicious scripts through the plugin interface, which then execute in the browsers of other users who visit affected pages. The CVSS scope-change metric (S:C) confirms the injected payload crosses trust boundaries beyond the attacker's own session, enabling session hijacking, credential theft, or unauthorized actions against victims. No public exploit has been identified at time of analysis, and the vulnerability has not appeared in CISA KEV.
Technical ContextAI
WP Emmet is a WordPress plugin developed by the vendor 'rewish', identified in NVD CPE as cpe:2.3:a:rewish:wp_emmet:*:*:*:*:*:*:*:*. The plugin exposes one or more administrator-facing input fields that fail to properly sanitize or encode user-supplied data before rendering it in page output - the root cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS Scope:Changed metric indicates this is consistent with Stored XSS: content entered by a privileged admin is persisted server-side and subsequently rendered unsanitized in the browsers of other (potentially lower-privileged) users, allowing the payload to execute in a different security context than where it was introduced.
RemediationAI
The primary remediation is to update WP Emmet to a version above 0.3.4; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-emmet/vulnerability/wordpress-wp-emmet-plugin-0-3-4-cross-site-scripting-xss-vulnerability for the confirmed fixed release version, as no specific patched version number was included in the available intelligence data. If an update is unavailable or cannot be applied immediately, deactivate the WP Emmet plugin entirely to eliminate the injection surface - note this will disable Emmet functionality for content authors. Additionally, enforce strong administrator account hygiene: enable MFA for all admin users, audit current admin roster, and review recent plugin settings for existing injected payloads. Deploying a WordPress-aware WAF rule blocking script injection in admin POST requests can serve as a compensating control with the trade-off of potential false positives on legitimate HTML input.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210139
GHSA-39fh-wv35-mqph