Skip to main content

EP4 More Embeds CVE-2025-25083

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound EP4 More Embeds allows Stored XSS. This issue affects EP4 More Embeds: from n/a through 1.0.0.

AnalysisAI

Stored cross-site scripting in EP4 More Embeds WordPress plugin (all versions up to 1.0.0) allows remote attackers to inject malicious JavaScript into website content that executes in victims' browsers. Despite CVSS 7.1, exploitation probability is very low (EPSS 0.09%, 26th percentile) and requires user interaction. No active exploitation confirmed, no vendor patch identified, and limited deployment scope of this niche WordPress plugin significantly reduces real-world risk.

Technical ContextAI

EP4 More Embeds is a WordPress plugin designed to extend embed functionality for various content types. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied data is incorporated into generated HTML pages without proper encoding or sanitization. This allows attackers to inject arbitrary JavaScript that persists in the application's data store (hence 'stored' XSS) and executes when other users view the affected content. The stored nature differentiates this from reflected XSS by allowing attackers to compromise multiple victims through a single injection point, typically in plugin configuration fields, embed parameters, or content storage mechanisms that lack input validation and output encoding controls.

Affected ProductsAI

EP4 More Embeds WordPress plugin versions from earliest release through 1.0.0 are confirmed vulnerable per NVD data. The vulnerability impacts all installations of this plugin up to and including version 1.0.0. No CPE identifier is available in the provided data, and the plugin does not appear in WordPress.org official repository based on reference URLs pointing exclusively to Patchstack database entries. Users can verify affected status by checking WordPress admin panel under Plugins for 'EP4 More Embeds' with version 1.0.0 or earlier. Patchstack advisory available at https://patchstack.com/database/wordpress/plugin/ep4-more-embeds/vulnerability/wordpress-ep4-more-embeds-plugin-1-0-0-stored-cross-site-scripting-xss-vulnerability.

RemediationAI

No vendor-released patch or updated version confirmed at time of analysis. The plugin appears unmaintained based on absence of fix version data and Patchstack-only references. Immediate action: uninstall EP4 More Embeds plugin entirely if business requirements permit, as no secure version exists. If functionality is mission-critical, implement compensating controls: restrict plugin configuration and content creation to only highly trusted administrators (not general content contributors), deploy Web Application Firewall rules to filter common XSS patterns in POST requests to WordPress admin endpoints, implement Content Security Policy headers with restrictive script-src directives to limit inline JavaScript execution (note this may break legitimate WordPress admin functionality requiring careful testing), and monitor for unauthorized JavaScript in plugin-generated embed content through regular security scans. Consider alternative embed plugins from actively maintained projects with recent security updates. Consult Patchstack advisory for any vendor-specific guidance: https://patchstack.com/database/wordpress/plugin/ep4-more-embeds/vulnerability/wordpress-ep4-more-embeds-plugin-1-0-0-stored-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-25083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy