CVE-2025-50043
Description
Stored XSS vulnerability in WordPress Code Engine plugin up to version 0.3.2 allows authenticated attackers to inject arbitrary scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in WordPress Code Engine plugin up to version 0.3.2 allows authenticated attackers to inject arbitrary scripts.
A stored cross-site scripting (XSS) vulnerability exists in the WordPress Code Engine plugin by Jordy Meow, affecting versions from n/a through 0.3.2 [1]. The issue arises from improper neutralization of user input during web page generation, enabling attackers to inject malicious scripts that are stored on the server [1].
Exploitation requires a privileged user account (such as an editor or administrator) to interact with a crafted input, which could be delivered via a malicious link or form submission [1]. Once the injected script is stored, it executes in the context of visitors' browsers when they access the affected page [1].
The impact includes the ability to redirect visitors to malicious sites, display unauthorized advertisements, or perform other client-side attacks. User interaction is required from the attacker, but no additional privileges beyond the role needed to insert content are necessary for initial injection [1].
Users are strongly advised to update the plugin to version 0.3.3 or later, which resolves the vulnerability. For those unable to update immediately, it is recommended to contact a hosting provider or web developer for assistance, and Patchstack users can enable auto-updates for vulnerable plugins [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=0.3.2+ 1 more
- (no CPE)range: <=0.3.2
- (no CPE)range: <=0.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stored Cross-Site Scripting (XSS) due to improper neutralization of user-controllable input in PHP code snippets before it is rendered in the WordPress admin interface."
Attack vector
An authenticated attacker with the ability to create or edit PHP code snippets (e.g., a contributor-level or higher WordPress user) can inject malicious JavaScript into snippet content. Because the plugin does not neutralize user-controllable input before placing it into the web page output [CWE-79], the injected script is stored in the database and executed in the browsers of other users (including administrators) who view or manage snippets in the admin dashboard. The CVSS vector indicates the attack is over the network, requires low complexity, and needs low-privilege authentication plus user interaction (e.g., an admin viewing the snippet list).
Affected code
The advisory does not specify exact file paths or function names. The vulnerability exists in the snippet rendering logic of the Code Engine plugin (code-engine) for WordPress, versions through 0.3.2 [ref_id=1]. The plugin's admin interface displays user-created PHP code snippets without proper output escaping, leading to stored XSS.
What the fix does
The advisory does not include a patch diff. The plugin changelog shows that version 0.3.3 added a check for `DISALLOW_UNFILTERED_HTML` for JavaScript content type snippets, and version 0.3.1 fixed a sanitization function by removing an unnecessary argument [ref_id=1]. However, no explicit fix for stored XSS in PHP snippet content is documented in the changelog entries up to version 0.4.7. The remediation guidance is therefore inferred: the plugin should escape or sanitize snippet content before rendering it in the admin interface, applying WordPress's built-in escaping functions (e.g., `esc_html()`) to prevent script execution.
Preconditions
- authAttacker must have an authenticated WordPress user account with permission to create or edit code snippets (e.g., Contributor role or higher).
- configThe Code Engine plugin must be installed and activated on the target WordPress site.
- inputA victim user (e.g., Administrator) must view the page where the malicious snippet is rendered (e.g., the snippet list or editor in the admin dashboard).
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.