Description
The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-03-07
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Flexmls® IDX Plugin for WordPress allows an authenticated user with contributor or higher privileges to insert arbitrary JavaScript into pages through the idx_frame shortcode. The plugin fails to sanitize or escape user‑supplied attributes, enabling a stored cross‑site scripting vulnerability that will execute in the browser context of any visitor to the affected page. This can lead to session hijacking, defacement, or theft of visitor data.

Affected Systems

All installations of the Flexmls® IDX Plugin with a version of 3.14.27 or older are affected. The vulnerability exists in every release up to and including 3.14.27.

Risk and Exploitability

The CVSS base score of 6.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. An attacker must first be authenticated and possess at least contributor role privileges to inject the malicious script. Once injected, the script runs automatically whenever a page containing the idx_frame shortcode is viewed, potentially compromising all users who access those pages.

Generated by OpenCVE AI on April 28, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flexmls® IDX Plugin to a version newer than 3.14.27 that removes the unsafe idx_frame handling.
  • If an upgrade cannot be performed immediately, restrict the idx_frame shortcode to administrator users only or remove it from all pages until a patch is available.
  • Implement a web application firewall rule or use the Wordfence plugin to block XSS payloads targeting the plugin’s parameters, thereby reducing the chance of successful script injection.

Generated by OpenCVE AI on April 28, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7370 The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Fri, 07 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 07 Mar 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Flexmls® IDX <= 3.14.27 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:26.560Z

Reserved: 2025-01-29T21:23:59.278Z

Link: CVE-2025-0863

cve-icon Vulnrichment

Updated: 2025-03-07T15:47:25.696Z

cve-icon NVD

Status : Deferred

Published: 2025-03-07T08:15:40.827

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:30:19Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')