Description
The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via stored input
Action: Patch
AI Analysis

Impact

The MyBrain Utilities plugin for WordPress is vulnerable to stored cross‑site scripting because it does not properly sanitize or escape user input supplied to the 'mbumap' shortcode. This flaw allows authenticated contributors or higher to inject arbitrary JavaScript that will run whenever any user views the affected content, enabling potential defacement or credential theft. The vulnerability is a classic stored XSS (CWE‑79).

Affected Systems

Affected systems include the WordPress plugin MyBrain Utilities developed by markohoven. All releases from the first version up to and including 1.0.8 are impacted. The flaw resides in the plugin’s shortcode handling within the public class file.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium‑severity vulnerability. The EPSS score of less than 1% suggests a very low likelihood of exploitation at present, and the flaw is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with contributor‑level access or higher; such an attacker can add a malicious attribute to the mbumap shortcode in a post or page, which will then be stored in the database and executed for all subsequent page views.

Generated by OpenCVE AI on April 21, 2026 at 03:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyBrain Utilities to a version newer than 1.0.8 if available.
  • If no newer version exists, remove or disable the mbumap shortcode for users with contributor or lower roles.
  • Implement a site‑wide XSS protection measure, such as a security plugin that sanitizes output from shortcodes.

Generated by OpenCVE AI on April 21, 2026 at 03:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27521 The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 11 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Sep 2025 06:45:00 +0000

Type Values Removed Values Added
Description The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title MyBrain Utilities <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:20.021Z

Reserved: 2025-09-08T18:22:55.732Z

Link: CVE-2025-10126

cve-icon Vulnrichment

Updated: 2025-09-10T15:38:25.613Z

cve-icon NVD

Status : Deferred

Published: 2025-09-10T07:15:44.290

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:15:16Z

Weaknesses