EP4 More Embeds CVE-2025-25083
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound EP4 More Embeds allows Stored XSS. This issue affects EP4 More Embeds: from n/a through 1.0.0.
AnalysisAI
Stored cross-site scripting in EP4 More Embeds WordPress plugin (all versions up to 1.0.0) allows remote attackers to inject malicious JavaScript into website content that executes in victims' browsers. Despite CVSS 7.1, exploitation probability is very low (EPSS 0.09%, 26th percentile) and requires user interaction. No active exploitation confirmed, no vendor patch identified, and limited deployment scope of this niche WordPress plugin significantly reduces real-world risk.
Technical ContextAI
EP4 More Embeds is a WordPress plugin designed to extend embed functionality for various content types. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied data is incorporated into generated HTML pages without proper encoding or sanitization. This allows attackers to inject arbitrary JavaScript that persists in the application's data store (hence 'stored' XSS) and executes when other users view the affected content. The stored nature differentiates this from reflected XSS by allowing attackers to compromise multiple victims through a single injection point, typically in plugin configuration fields, embed parameters, or content storage mechanisms that lack input validation and output encoding controls.
Affected ProductsAI
EP4 More Embeds WordPress plugin versions from earliest release through 1.0.0 are confirmed vulnerable per NVD data. The vulnerability impacts all installations of this plugin up to and including version 1.0.0. No CPE identifier is available in the provided data, and the plugin does not appear in WordPress.org official repository based on reference URLs pointing exclusively to Patchstack database entries. Users can verify affected status by checking WordPress admin panel under Plugins for 'EP4 More Embeds' with version 1.0.0 or earlier. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/ep4-more-embeds/vulnerability/wordpress-ep4-more-embeds-plugin-1-0-0-stored-cross-site-scripting-xss-vulnerability.
RemediationAI
No vendor-released patch or updated version confirmed at time of analysis. The plugin appears unmaintained based on absence of fix version data and Patchstack-only references. Immediate action: uninstall EP4 More Embeds plugin entirely if business requirements permit, as no secure version exists. If functionality is mission-critical, implement compensating controls: restrict plugin configuration and content creation to only highly trusted administrators (not general content contributors), deploy Web Application Firewall rules to filter common XSS patterns in POST requests to WordPress admin endpoints, implement Content Security Policy headers with restrictive script-src directives to limit inline JavaScript execution (note this may break legitimate WordPress admin functionality requiring careful testing), and monitor for unauthorized JavaScript in plugin-generated embed content through regular security scans. Consider alternative embed plugins from actively maintained projects with recent security updates. Consult Patchstack advisory for any vendor-specific guidance: https://patchstack.com/database/wordpress/plugin/ep4-more-embeds/vulnerability/wordpress-ep4-more-embeds-plugin-1-0-0-stored-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today