Medium severity4.4NVD Advisory· Published Dec 12, 2025· Updated Apr 15, 2026
CVE-2025-14048
CVE-2025-14048
Description
The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected products
2<=1.0+ 1 more
- (no CPE)range: <=1.0
- (no CPE)range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.