Description
The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-12
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the inline_css shortcode parameter, allowing authenticated Contributor-level users to inject scripts that run in any user’s browser when they view affected pages.
Action: Patch Immediately
AI Analysis

Impact

The Hide Email Address plugin for WordPress includes a stored cross‑site scripting vulnerability that is triggered by submitting malicious content to the inline_css attribute of its shortcode. An attacker who can add or edit posts with contributor or higher privileges can place arbitrary JavaScript in the inline_css field; when any user views the page, the payload executes with the user’s browser context. This can lead to session hijacking, content injection, or defacement of the site, representing a serious threat to confidentiality, integrity, and availability of the website’s content and user sessions.

Affected Systems

The vulnerability affects the buntegiraffe Hide Email Address WordPress plugin, versions up to and including 0.1. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity while the EPSS score of less than 1% shows a low probability of exploitation at this time. The vulnerability is not in the CISA KEV catalog. Exploitation requires that the attacker has authenticated access with Contributor or higher privileges, which is a moderate access requirement. Once achieved, the exploit is straightforward: submit malicious code via the inline_css attribute and rely on its execution in subsequent page views. The risk is mitigated by a lack of a public exploit, but the presence of the vulnerability in a widely used plugin warrants prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hide Email Address plugin to the latest available version, which removes the inline_css sanitization flaw.
  • If no update is available, disable the Hide Email Address plugin or delete posts that contain its shortcode to eliminate the vector.
  • Adjust WordPress role permissions so that Contributor and higher users cannot edit content that includes the hide‑email shortcode, limiting the ability to inject malicious scripts.

Generated by OpenCVE AI on April 20, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Buntegiraffe
Buntegiraffe hide Email Address
Wordpress
Wordpress wordpress
Vendors & Products Buntegiraffe
Buntegiraffe hide Email Address
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Hide Email Address <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Buntegiraffe Hide Email Address
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:13:39.383Z

Reserved: 2025-12-02T14:34:47.305Z

Link: CVE-2025-13884

cve-icon Vulnrichment

Updated: 2025-12-12T15:01:41.185Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:43.133

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13884

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses