Description
The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxp_fb2wp_display_embed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'post_id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The XX2WP Integration Tools plugin for WordPress allows stored XSS because the ‘mxp_fb2wp_display_embed’ shortcode does not sanitize the user‑supplied ‘post_id’ parameter, a flaw identified as CWE‑79. Attackers who can authenticate as a contributor or higher can insert arbitrary scripts that will execute when any user loads the affected page, potentially stealing credentials or defacing content. The CVSS score of 6.4 reflects the severity of this worst‑case scenario.

Affected Systems

All installations of the XX2WP Integration Tools plugin with a version of 1.9.9 or earlier are affected. The vulnerability is specific to the WordPress plugin identified by the CNA as mxp:XX2WP Integration Tools.

Risk and Exploitability

The EPSS score is less than 1 %, indicating a low but non‑zero probability that the flaw will be targeted. The issue is not listed in CISA’s KEV catalog. Because the impact requires an authenticated user with at least contributor access, an attacker must first gain or use legitimate WordPress credentials. Once the payload is stored, the cross‑site scripting effect will occur for any other visitor, exposing the site to data theft or session hijacking.

Generated by OpenCVE AI on April 22, 2026 at 14:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade XX2WP Integration Tools to a version newer than 1.9.9 that implements proper input sanitization for the ‘post_id’ parameter.
  • If an upgrade is infeasible, remove or disable the ‘mxp_fb2wp_display_embed’ shortcode and restrict its use to trusted administrators only.
  • Sanitize the ‘post_id’ value on input by allowing only numeric identifiers before storing or rendering the content.
  • Audit existing posts for injected scripts and clean any discovered instances to eliminate the stored XSS risk.

Generated by OpenCVE AI on April 22, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 18 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxp_fb2wp_display_embed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'post_id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title XX2WP Integration Tools <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:39.687Z

Reserved: 2025-10-16T13:19:16.646Z

Link: CVE-2025-11857

cve-icon Vulnrichment

Updated: 2025-10-20T18:59:29.060Z

cve-icon NVD

Status : Deferred

Published: 2025-10-18T06:15:38.720

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:15:20Z

Weaknesses