Skip to main content

WP Emmet CVE-2025-15658

| EUVDEUVD-2025-210139 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-39fh-wv35-mqph
5.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.9 MEDIUM

Administrator privilege required (PR:H) to inject; scope changes as payload executes in victims' browsers (S:C); victim page-load interaction needed (UI:R).

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 16:34 vuln.today

DescriptionCVE.org

Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.

AnalysisAI

Stored Cross-Site Scripting in the WP Emmet WordPress plugin (by rewish) versions 0.3.4 and earlier allows an administrator-level user to inject persistent malicious scripts through the plugin interface, which then execute in the browsers of other users who visit affected pages. The CVSS scope-change metric (S:C) confirms the injected payload crosses trust boundaries beyond the attacker's own session, enabling session hijacking, credential theft, or unauthorized actions against victims. No public exploit has been identified at time of analysis, and the vulnerability has not appeared in CISA KEV.

Technical ContextAI

WP Emmet is a WordPress plugin developed by the vendor 'rewish', identified in NVD CPE as cpe:2.3:a:rewish:wp_emmet:*:*:*:*:*:*:*:*. The plugin exposes one or more administrator-facing input fields that fail to properly sanitize or encode user-supplied data before rendering it in page output - the root cause class is CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS Scope:Changed metric indicates this is consistent with Stored XSS: content entered by a privileged admin is persisted server-side and subsequently rendered unsanitized in the browsers of other (potentially lower-privileged) users, allowing the payload to execute in a different security context than where it was introduced.

RemediationAI

The primary remediation is to update WP Emmet to a version above 0.3.4; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-emmet/vulnerability/wordpress-wp-emmet-plugin-0-3-4-cross-site-scripting-xss-vulnerability for the confirmed fixed release version, as no specific patched version number was included in the available intelligence data. If an update is unavailable or cannot be applied immediately, deactivate the WP Emmet plugin entirely to eliminate the injection surface - note this will disable Emmet functionality for content authors. Additionally, enforce strong administrator account hygiene: enable MFA for all admin users, audit current admin roster, and review recent plugin settings for existing injected payloads. Deploying a WordPress-aware WAF rule blocking script injection in admin POST requests can serve as a compensating control with the trade-off of potential false positives on legitimate HTML input.

Share

CVE-2025-15658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy