CVE-2025-60099

Vulnerability

Overview The vulnerability is a stored Cross-Site Scripting (XSS) flaw in the embed-any-document WordPress plugin by awsm.in. Improper neutralization of user-supplied input during web page generation allows an attacker to inject arbitrary HTML or JavaScript that is stored and later served to other users [1]. This occurs in versions from n/a through 2.7.7 inclusive.

Exploitation

Conditions Exploitation requires a user with certain WordPress privileges (typically an Author or higher role) to craft a malicious payload that is stored in the plugin's data. The attack does not require direct user interaction beyond a privileged user performing an action such as visiting a crafted page or submitting a form; the injected script then executes when any visitor loads the affected page [1]. No authentication bypass is involved — the attacker must have legitimate access to a privileged account.

Impact

Successful exploitation can lead to execution of malicious scripts in the context of the victim's browser. This includes redirection to attacker-controlled sites, display of unauthorized advertisements, theft of session cookies, or defacement of the site content [1]. The CVSS v3 base score is 6.5 (Medium), reflecting a moderate impact with somewhat complex attack requirements.

Mitigation

The vendor has released version 2.7.8, which patches the vulnerability. Users are strongly advised to update immediately to 2.7.8 or later [1]. For users of the Patchstack service, auto-update can be enabled for vulnerable plugins. Workarounds include restricting user roles or using web application firewall rules, but the recommended action is applying the official update.