Description
The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jeba_forkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (authenticated, contributor+)
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored XSS that occurs when an authenticated user with contributor-level access submits the 'text' attribute of the jeba_forkit shortcode. Because the plugin fails to sanitize or escape user-supplied input, an attacker can store malicious JavaScript that will run in any browser that loads a page containing the shortcode. This enables session hijacking, defacement, or execution of arbitrary code in the context of the site.

Affected Systems

The plug‑in Jeba Cute forkit version 1.0 (and all earlier releases) for WordPress is affected. The issue exists whenever the plugin is installed and the shortcode is used within posts or pages. No specific WordPress core versions are mentioned.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating medium severity. The EPSS score is below 1 %, suggesting that exploitation is unlikely at present, and it is not listed in the CISA KEV catalog. An attacker would need authenticated contributor or higher privileges to inject the payload, meaning the attack surface is limited to users who can add or edit content. Once the malicious code is stored, it executes for every visitor who loads the affected page, providing the attacker with the same privileges as the visitor.

Generated by OpenCVE AI on April 21, 2026 at 01:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jeba Cute forkit to a version that removes this flaw by checking the official plugin repository for a patched release and installing it immediately.
  • If an upgrade is not available or feasible, disable or remove the plugin entirely, or delete all posts that use the jeba_forkit shortcode until a fix is applied.
  • Restrict contributor roles or convert contributors to read‑only accounts until the vulnerability is resolved, thereby limiting the number of users who can inject payloads.
  • Review all existing content for injected scripts and sanitize or delete any posts that contain malicious code.
  • Deploy a content security policy that blocks inline scripts to mitigate the impact of any accidental XSS execution.

Generated by OpenCVE AI on April 21, 2026 at 01:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jeba_forkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:51.073Z

Reserved: 2025-11-03T21:03:23.199Z

Link: CVE-2025-12663

cve-icon Vulnrichment

Updated: 2025-11-14T15:20:59.437Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:48.933

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses