Description
The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-10-22
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (CWE‑79)
Action: Apply patch
AI Analysis

Impact

The Material Design Iconic Font Integration plugin for WordPress includes a shortcode that accepts user‑supplied attributes without proper sanitization or escaping. This flaw enables authenticated users with contributor or higher privileges to embed arbitrary JavaScript code into pages. Once injected, the scripts execute whenever any visitor loads the affected page, potentially compromising user sessions, stealing data, or defacing content.

Affected Systems

The vulnerability exists in the mcostales84:Material Design Iconic Font Integration WordPress plugin for all releases through version 2. Users running any of those releases are susceptible to exploitation.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score of less than 1% signals a low probability of exploitation underway, and the vulnerability has not been listed in the CISA KEV catalog. Attackers must first be authenticated with contributor level or better and must inject malicious payloads via the shortcode’s attributes; the code is then stored and served to site visitors, making the threat a typical stored XSS event.

Generated by OpenCVE AI on April 27, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest release, which implements proper input sanitization and output escaping to mitigate the stored XSS flaw.
  • If an upgrade is not immediately possible, restrict or remove the Contributor role from users who are allowed to edit the shortcode or prevent the shortcode from processing attributes containing script tags.
  • As a temporary workaround, configure the site’s security plugins or server settings to strip JavaScript from content stored via the plugin, or block use of the plugin entirely until a patched version is available.

Generated by OpenCVE AI on April 27, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Material Design Iconic Font Integration <= 2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:49.315Z

Reserved: 2025-10-16T16:00:31.227Z

Link: CVE-2025-11872

cve-icon Vulnrichment

Updated: 2025-10-22T15:44:57.740Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T09:15:35.490

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:45:15Z

Weaknesses