Description
The AP Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adv_parallax_back' shortcode in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-03
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that can be triggered by authenticated users with contributor or higher access.
Action: Patch Now
AI Analysis

Impact

The AP Background WordPress plugin is vulnerable to stored cross‑site scripting through the "adv_parallax_back" shortcode. Improper input sanitization and output escaping allow an authenticated contributor to insert arbitrary scripts into pages. These scripts execute whenever a user visits the affected page, potentially compromising the user’s session, leaking data, or performing unauthorized actions.

Affected Systems

All WordPress installations running the AP Background plugin version 3.8.2 or earlier are impacted. The plugin is distributed by the hovanesvn project. Users should verify their plugin version and upgrade if it is 3.8.2 or earlier.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity. The EPSS score of less than 1% suggests a very low current exploitation probability, and it is not listed in CISA’s KEV catalog. Exploitation requires the attacker to be authenticated with contributor or higher privileges, but once achieved the injected script will be delivered to all site visitors who view the affected page. The risk to the site remains significant for an authenticated attacker possessing the required role.

Generated by OpenCVE AI on April 21, 2026 at 02:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AP Background plugin to version 3.8.3 or later, which removes the unescaped shortcode handling.
  • If an update is not immediately available, deactivate or uninstall the plugin until a fix can be applied.
  • Review recent content for injected scripts and delete any malicious code from affected posts or pages.

Generated by OpenCVE AI on April 21, 2026 at 02:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32245 The AP Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adv_parallax_back' shortcode in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 03 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Oct 2025 11:30:00 +0000

Type Values Removed Values Added
Description The AP Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adv_parallax_back' shortcode in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title AP Background <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:11.812Z

Reserved: 2025-09-09T13:28:12.112Z

Link: CVE-2025-10165

cve-icon Vulnrichment

Updated: 2025-10-03T13:57:17.098Z

cve-icon NVD

Status : Deferred

Published: 2025-10-03T12:15:41.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10165

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:45:25Z

Weaknesses