Description
The My AskAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'myaskai' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting via the My AskAI plugin
Action: Patch
AI Analysis

Impact

The vulnerability exists in the My AskAI WordPress plugin and allows an authenticated user with contributor-level access to insert arbitrary web scripts into the plugin’s shortcode attributes. This stored cross‑site scripting flaw causes the injected script to run whenever any user views a page that contains the vulnerable shortcode, enabling attackers to hijack user sessions, deface content, or exfiltrate data within the affected site. The weakness originates from insufficient input sanitization and missing output escaping, as identified in CWE‑79.

Affected Systems

All installations of the My AskAI plugin for WordPress, up to and including version 1.0.0, are affected. The issue applies to the plugin’s shortcode handling regardless of the site's overall WordPress version.

Risk and Exploitability

With a CVSS score of 6.4 the flaw is considered moderate severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires only contributor‑level authenticated access, which is commonly granted in collaborative sites, making exploitation relatively straightforward when the plugin is present and the shortcode is used. Once a payload is injected, it persists in the stored content and will run automatically for all users who view the affected page.

Generated by OpenCVE AI on April 22, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the My AskAI WordPress plugin to the latest release, which removes the unsafe handling of shortcode attributes.
  • Locate any pages, posts, or other content that contain the malicious myaskai shortcode, and replace or delete the injected script or alter the attributes to neutralize the payload.
  • If an immediate upgrade is not possible, disable the myaskai shortcode or uninstall the plugin entirely to block further exploitation while a patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31698 The My AskAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'myaskai' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 30 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The My AskAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'myaskai' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title My AskAI <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:28.584Z

Reserved: 2025-09-09T14:27:11.749Z

Link: CVE-2025-10179

cve-icon Vulnrichment

Updated: 2025-09-30T13:24:49.556Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:37.717

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:15:26Z

Weaknesses