CVE-2025-46445
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Stored XSS in External Markdown WordPress plugin <=0.0.1 allows attackers to inject arbitrary web scripts via unsanitized input, leading to potential account compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in External Markdown WordPress plugin <=0.0.1 allows attackers to inject arbitrary web scripts via unsanitized input, leading to potential account compromise.
Vulnerability
The External Markdown plugin for WordPress (slug: external-markdown) is vulnerable to Stored Cross-Site Scripting (XSS) due to improper neutralization of user-supplied input during web page generation. Versions through and including 0.0.1 are affected. The vulnerability exists in the plugin's handling of markdown content, where arbitrary HTML or JavaScript can be injected and stored, to be executed when a victim views the affected page.
Exploitation
An attacker with the ability to submit or modify content processed by the plugin (e.g., via comments, posts, or other input fields) can inject malicious script payloads. No authentication is required beyond the access needed to provide input; the plugin does not sanitize the markdown input before rendering. The injected script is stored on the server and executed in the context of any user who later views the page.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of a viewing user. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker's script runs with the privileges of the victim's WordPress user session, potentially enabling actions such as posting content or modifying settings if the victim is an administrator.
Mitigation
As of April 24, 2025, the External Markdown plugin has been closed and removed from the WordPress.org plugin directory due to a security issue [1]. No patched version has been released. Users who have the plugin installed should immediately uninstall it and remove any stored content that may contain malicious payloads. There is no known workaround aside from disabling or deleting the plugin entirely.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= 0.0.1+ 1 more
- (no CPE)range: <= 0.0.1
- (no CPE)range: <=0.0.1
Patches
0external-markdownThis plugin has been removed from the WordPress.org directory on 2025-04-24 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.