Description
The Layers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The Layers WordPress plugin is vulnerable to stored cross‑site scripting through its 'webcam' shortcode. The flaw arises because user‑supplied attributes are not properly sanitized or escaped. As a result, scripts supplied in the shortcode can be injected into posts or pages and will be executed whenever an authenticated user with contributor access or higher views the page. This flaw permits attackers to execute arbitrary client‑side code, potentially leading to session hijacking, defacement, or phishing attempts. The weakness is classified as CWE‑79.

Affected Systems

Affected vendor is StripesWP, product Layers. All released versions up to and including 0.5 of the plugin are impacted. The plugin is used within WordPress installations that support the 'webcam' shortcode.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium level of severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker is authenticated with contributor access or higher. An attacker can then insert malicious scripts through the 'webcam' shortcode, which will be rendered in the output when a page containing that shortcode is loaded by any site visitor.

Generated by OpenCVE AI on April 22, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Layers plugin to version 0.6 or later where the stored XSS issue is fixed.
  • If an update is not possible, revoke contributor‑level access for users who can add or edit content containing the webcam shortcode, or remove the shortcode capability altogether.
  • As an interim workaround, configure WordPress to filter or strip script tags from post content, or use a security plugin that automatically sanitizes user input before saving.

Generated by OpenCVE AI on April 22, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31696 The Layers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Tue, 30 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Layers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Layers <= 0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:57.875Z

Reserved: 2025-09-08T19:25:42.244Z

Link: CVE-2025-10130

cve-icon Vulnrichment

Updated: 2025-09-30T13:22:13.899Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:37.190

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses