CVE-2025-66066
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnvoThemes Envo Extra envo-extra allows Stored XSS.This issue affects Envo Extra: from n/a through <= 1.9.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in Envo Extra plugin for WordPress up to 1.9.11 allows attackers to inject malicious scripts via improper input sanitization.
The Envo Extra plugin for WordPress suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. The plugin fails to sanitize or escape input before storing and outputting it, enabling attackers to inject arbitrary HTML and JavaScript code [1].
Exploitation requires an authenticated user with at least contributor-level privileges, who can inject the malicious payload into a page or post. The vulnerability is triggered when other users, including site visitors, access the affected page, executing the injected script. User interaction is required for the initial injection but not for the victim's browser to execute the script [1].
An attacker can leverage this to inject redirects, advertisements, or other HTML payloads that execute in the context of the victim's session. This can lead to unauthorized actions, data theft, or further compromise of the WordPress site [1].
The vulnerability affects Envo Extra versions from n/a through 1.9.11. Users are strongly advised to update to version 1.9.12 or later, which resolves the issue. Patchstack users can enable auto-updates for vulnerable plugins [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <= 1.9.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.