CVE-2025-15658

Vulnerability

The WP Emmet plugin for WordPress, versions 0.3.4 and earlier, contains a Cross-Site Scripting (XSS) vulnerability. This administrator-level XSS occurs due to insufficient input sanitization or output escaping, allowing authenticated users with administrative privileges to inject arbitrary scripts. Affected versions: <= 0.3.4 [1].

Exploitation

An attacker with Administrator access can inject malicious scripts (e.g., through plugin settings or input fields). While the attacker must be an Admin, successful exploitation requires another privileged user (such as another admin) to interact with the crafted content, such as clicking a malicious link or visiting a specific page. The script executes when the target user views the affected page [1].

Impact

Successful exploitation allows the attacker to inject malicious scripts, enabling actions such as redirects, advertisements, or other HTML payloads. This can lead to information disclosure, session hijacking, or website defacement, affecting visitors and other users [1].

Mitigation

Update the WP Emmet plugin to the latest available version. The vulnerability is patched in versions beyond 0.3.4. If updating is not immediately possible, contact your hosting provider or web developer for assistance [1]. No other workarounds are disclosed.